Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
71p2xmx6rP.exe

Overview

General Information

Sample name:71p2xmx6rP.exe
renamed because original name is a hash value
Original sample name:ae378e9945904bf8b4c090d697fe2395a511ed2a36176ddfb7530f22dfc32ac8.exe
Analysis ID:1447423
MD5:1813e42a2e7867866ae3644ce0f342a7
SHA1:739ae80603b8c2d86c35aa59050341995fec4817
SHA256:ae378e9945904bf8b4c090d697fe2395a511ed2a36176ddfb7530f22dfc32ac8
Tags:BlackMatterexelockbit
Infos:

Detection

LockBit ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
AI detected suspicious sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Hides threads from debuggers
Machine Learning detection for sample
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 71p2xmx6rP.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\71p2xmx6rP.exe" MD5: 1813E42A2E7867866AE3644CE0F342A7)
    • 4BD.tmp (PID: 6716 cmdline: "C:\ProgramData\4BD.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)
      • cmd.exe (PID: 3856 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
71p2xmx6rP.exeJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    71p2xmx6rP.exeWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
      • 0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
      • 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
      00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
        00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
        • 0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
        • 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.71p2xmx6rP.exe.e30000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
          0.2.71p2xmx6rP.exe.e30000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
          • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
          • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
          0.0.71p2xmx6rP.exe.e30000.0.unpackJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
            0.0.71p2xmx6rP.exe.e30000.0.unpackWindows_Ransomware_Lockbit_369e1e94unknownunknown
            • 0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
            • 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 71p2xmx6rP.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\ProgramData\4BD.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\4BD.tmpReversingLabs: Detection: 83%
            Multi AV Scanner detection for submitted file
            Source: 71p2xmx6rP.exeReversingLabs: Detection: 95%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
            Machine Learning detection for sample
            Source: 71p2xmx6rP.exeJoe Sandbox ML: detected
            Source: 71p2xmx6rP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\9yqsodVzM.README.txtJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\$WinREAgent\9yqsodVzM.README.txtJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\$WinREAgent\Scratch\9yqsodVzM.README.txtJump to behavior
            Source: 71p2xmx6rP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E374BC FindFirstFileExW,FindNextFileW,0_2_00E374BC
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3A094 FindFirstFileExW,FindClose,0_2_00E3A094
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E35C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00E35C24
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37590 FindFirstFileExW,FindClose,0_2_00E37590
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,0_2_00E3766C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,0_2_00E3F308
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_0040227C FindFirstFileExW,2_2_0040227C
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,2_2_0040152C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37468 GetLogicalDriveStringsW,GetDriveTypeW,0_2_00E37468
            Source: 9yqsodVzM.README.txt0.0.dr, 9yqsodVzM.README.txt.0.dr, 9yqsodVzM.README.txt1.0.drString found in binary or memory: https://getsession.org/;

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Found ransom note / readme
            Source: C:\9yqsodVzM.README.txtDropped file: Go to https://getsession.org/; download & install; then add 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 to your contacts and send a message with this codename ---> WINDOWSJump to dropped file
            Yara detected LockBit ransomware
            Source: Yara matchFile source: 71p2xmx6rP.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Writes many files with high entropy
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\71p2xmx6rP.exe entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\IIIIIIIIIIIIII (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy) entropy: 7.99680885025Jump to dropped file
            Source: C:\ProgramData\4BD.tmpFile created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy) entropy: 7.99680885025Jump to dropped file

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 71p2xmx6rP.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 0.2.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 0.0.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: 00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E404B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_00E404B4
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E39880 NtClose,0_2_00E39880
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3DC60 NtTerminateProcess,0_2_00E3DC60
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3B470 NtProtectVirtualMemory,0_2_00E3B470
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3B444 NtSetInformationThread,0_2_00E3B444
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E47034 KiUserCallbackDispatcher,CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,0_2_00E47034
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3E1E8 CreateThread,NtClose,0_2_00E3E1E8
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3C28C CreateFileW,WriteFile,WriteFile,NtClose,WriteFile,WriteFile,0_2_00E3C28C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E36668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,0_2_00E36668
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3E270 NtClose,0_2_00E3E270
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3B674 NtQueryInformationToken,0_2_00E3B674
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37E58 NtQuerySystemInformation,Sleep,0_2_00E37E58
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3B3C0 NtSetInformationThread,NtClose,0_2_00E3B3C0
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E397D8 NtQuerySystemInformation,0_2_00E397D8
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E38F68 RtlAdjustPrivilege,NtSetInformationThread,0_2_00E38F68
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3B734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,0_2_00E3B734
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3982A NtQuerySystemInformation,0_2_00E3982A
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E39811 NtQuerySystemInformation,0_2_00E39811
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37EA3 NtQuerySystemInformation,Sleep,0_2_00E37EA3
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37E8A NtQuerySystemInformation,Sleep,0_2_00E37E8A
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E38F66 RtlAdjustPrivilege,NtSetInformationThread,0_2_00E38F66
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_00402760 CreateFileW,ReadFile,NtClose,2_2_00402760
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,2_2_0040286C
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,2_2_00402F18
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_00401DC2 NtProtectVirtualMemory,2_2_00401DC2
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_00401D94 NtSetInformationThread,2_2_00401D94
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,2_2_004016B4
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3A68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,0_2_00E3A68C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E320AC0_2_00E320AC
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E380B80_2_00E380B8
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E34D030_2_00E34D03
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E34D080_2_00E34D08
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E352180_2_00E35218
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\4BD.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess token adjusted: SecurityJump to behavior
            Source: 71p2xmx6rP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 71p2xmx6rP.exe, type: SAMPLEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 0.2.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 0.0.71p2xmx6rP.exe.e30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
            Source: 4BD.tmp.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.evad.winEXE@6/141@0/0
            Source: C:\ProgramData\4BD.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
            Source: C:\ProgramData\4BD.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 71p2xmx6rP.exeReversingLabs: Detection: 95%
            Source: unknownProcess created: C:\Users\user\Desktop\71p2xmx6rP.exe "C:\Users\user\Desktop\71p2xmx6rP.exe"
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess created: C:\ProgramData\4BD.tmp "C:\ProgramData\4BD.tmp"
            Source: C:\ProgramData\4BD.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NUL
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess created: C:\ProgramData\4BD.tmp "C:\ProgramData\4BD.tmp"Jump to behavior
            Source: C:\ProgramData\4BD.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: gpedit.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: dssec.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: dsuiext.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: authz.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: adsldp.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: slc.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\ProgramData\4BD.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
            Source: 71p2xmx6rP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 71p2xmx6rP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 71p2xmx6rP.exeStatic PE information: real checksum: 0x2794d should be: 0x25c33
            Source: 4BD.tmp.0.drStatic PE information: real checksum: 0x8fd0 should be: 0x4f26
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E361ED push esp; retf 0_2_00E361F6
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E335D3 push 0000006Ah; retf 0_2_00E33644
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E335D5 push 0000006Ah; retf 0_2_00E33644
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3356B push 0000006Ah; retf 0_2_00E33644
            Source: 4BD.tmp.0.drStatic PE information: section name: .text entropy: 7.985216639497568
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\ProgramData\4BD.tmpJump to dropped file
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\ProgramData\4BD.tmpJump to dropped file
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\9yqsodVzM.README.txtJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\$WinREAgent\9yqsodVzM.README.txtJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeFile created: C:\$WinREAgent\Scratch\9yqsodVzM.README.txtJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\ProgramData\4BD.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NUL
            Source: C:\ProgramData\4BD.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E391C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,0_2_00E391C8
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
            Source: C:\ProgramData\4BD.tmpProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E310BC 0_2_00E310BC
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_00401E28 2_2_00401E28
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E310BC rdtsc 0_2_00E310BC
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E374BC FindFirstFileExW,FindNextFileW,0_2_00E374BC
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3A094 FindFirstFileExW,FindClose,0_2_00E3A094
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E35C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,0_2_00E35C24
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37590 FindFirstFileExW,FindClose,0_2_00E37590
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,0_2_00E3766C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E3F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,0_2_00E3F308
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_0040227C FindFirstFileExW,2_2_0040227C
            Source: C:\ProgramData\4BD.tmpCode function: 2_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,2_2_0040152C
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E37468 GetLogicalDriveStringsW,GetDriveTypeW,0_2_00E37468
            Source: 4BD.tmp, 00000002.00000002.2158829126.0000000000633000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 71p2xmx6rP.exe, 00000000.00000002.2155695790.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminF
            Source: 71p2xmx6rP.exe, 00000000.00000003.2118673727.00000000010B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\4BD.tmpThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E310BC rdtsc 0_2_00E310BC
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E35A20 LdrLoadDll,0_2_00E35A20
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeMemory written: C:\ProgramData\4BD.tmp base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeProcess created: C:\ProgramData\4BD.tmp "C:\ProgramData\4BD.tmp"Jump to behavior
            Source: C:\ProgramData\4BD.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NULJump to behavior
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E310BC cpuid 0_2_00E310BC
            Source: C:\ProgramData\4BD.tmpCode function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,2_2_00403983
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeCode function: 0_2_00E404B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtDuplicateObject,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,0_2_00E404B4
            Source: C:\Users\user\Desktop\71p2xmx6rP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		112
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping311
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		112
            Process Injection            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Software Packing            		NTDS4
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Indicator Removal            		LSA Secrets122
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            71p2xmx6rP.exe96%ReversingLabsWin32.Ransomware.Lockbit
            71p2xmx6rP.exe100%AviraBDS/ZeroAccess.Gen7
            71p2xmx6rP.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\4BD.tmp100%AviraTR/Crypt.ZPACK.Gen
            C:\ProgramData\4BD.tmp100%Joe Sandbox ML
            C:\ProgramData\4BD.tmp83%ReversingLabsWin32.Trojan.Malgent

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://getsession.org/;0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalse
              		unknown
              fp2e7a.wpc.phicdn.net
              		192.229.221.95
              		truefalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://getsession.org/;9yqsodVzM.README.txt0.0.dr, 9yqsodVzM.README.txt.0.dr, 9yqsodVzM.README.txt1.0.drtrue
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1447423
                Start date and time:2024-05-25 00:35:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 2m 54s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:71p2xmx6rP.exe
                renamed because original name is a hash value
                Original Sample Name:ae378e9945904bf8b4c090d697fe2395a511ed2a36176ddfb7530f22dfc32ac8.exe
                Detection:MAL
                Classification:mal100.rans.evad.winEXE@6/141@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 71
                • Number of non-executed functions: 6
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 40.68.123.157, 13.95.31.18
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: 71p2xmx6rP.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                fp2e7a.wpc.phicdn.nethttps://teamepei.top/Get hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://bitly.cx/LmuIzGet hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://steamcomnumitly.com/get/spring/afaFJ4a/50Get hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://krrkinloginsnn.gitbook.io/usGet hashmaliciousUnknownBrowse
                • 192.229.221.95
                http://34.234.75.133/index.htmlGet hashmaliciousUnknownBrowse
                • 192.229.221.95
                http://dhl.de-globe.cloud.yaazhiyas.in/portal.php?country.x=Global&one=ok&flowId=ul&_Email=dataGet hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://dna-id-xv-news.resmi69.my.id/Get hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://clientes-entrega.top/gin/billing.phpGet hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://nftmint50.vercel.app/Get hashmaliciousUnknownBrowse
                • 192.229.221.95
                https://du-ae.shop/Get hashmaliciousUnknownBrowse
                • 192.229.221.95
                bg.microsoft.map.fastly.nethttps://bitly.cx/LmuIzGet hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://krrkinloginsnn.gitbook.io/usGet hashmaliciousUnknownBrowse
                • 199.232.214.172
                http://34.234.75.133/index.htmlGet hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://clientes-entrega.top/gin/billing.phpGet hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://cen19.pages.dev/appeal_case_ID/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://cloudflare-ipfs.com/ipfs/bafkreibaokfakkv4mt3old4yypjb7wchu3qcg45vr6kva37qj5olo2mv2aGet hashmaliciousHTMLPhisherBrowse
                • 199.232.210.172
                https://lucah145.my-telegram.my.id/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://cloudflare-ipfs.com/ipfs/bafkreihqhlordzrdlyekesjenxoy3ivd42wufyx24jg34goqyzigokrnsaGet hashmaliciousHTMLPhisherBrowse
                • 199.232.210.172
                https://24hours-left.com/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://mitravarunpandey.github.io/Netflix-Clone.github.ioGet hashmaliciousUnknownBrowse
                • 199.232.210.172

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\ProgramData\4BD.tmp98ST13Qdiy.exeGet hashmaliciousLockBit ransomwareBrowse
                  c8JakemodH.exeGet hashmaliciousLockBit ransomwareBrowse
                    Document.doc.scr.exeGet hashmaliciousLockBit ransomware, TrojanRansomBrowse
                      Rcqcps3y45.exeGet hashmaliciousLockBit ransomwareBrowse
                        LBB.exeGet hashmaliciousLockBit ransomwareBrowse
                          lockbit_unpacked.exeGet hashmaliciousLockBit ransomwareBrowse
                            maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                              maXk5kqpyK.exeGet hashmaliciousLockBit ransomwareBrowse
                                abc.exeGet hashmaliciousLockBit ransomwareBrowse
                                  55Seo_SeungJoon44.docxGet hashmaliciousLockBit ransomwareBrowse

                                    Created / dropped Files

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\AAAAAAAAAAA (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\BBBBBBBBBBB (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\CCCCCCCCCCC (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\DDDDDDDDDDD (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\EEEEEEEEEEE (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\FFFFFFFFFFF (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\GGGGGGGGGGG (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HHHHHHHHHHH (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\IIIIIIIIIII (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\JJJJJJJJJJJ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\KKKKKKKKKKK (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Reputation:low
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\LLLLLLLLLLL (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\MMMMMMMMMMM (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\NNNNNNNNNNN (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\OOOOOOOOOOO (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\PPPPPPPPPPP (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\QQQQQQQQQQQ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\RRRRRRRRRRR (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\SSSSSSSSSSS (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\TTTTTTTTTTT (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\UUUUUUUUUUU (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\VVVVVVVVVVV (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\WWWWWWWWWWW (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\XXXXXXXXXXX (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\YYYYYYYYYYY (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\ZZZZZZZZZZZ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.5809189220563695
                                    Encrypted:false
                                    SSDEEP:3:GlgpFsK95rDpalVCGzJRu729hNtCElkTdBnuzCNvZbxfqEbvpFyWW:GmFT5rDpaVCGzfP9hDInuzCNvZb0EKj
                                    MD5:BE0E5AF07D64B748B69EEA4B741366C7
                                    SHA1:F7E4CA346A71BEEB410A2DAE7F2C61BCF1B56D42
                                    SHA-256:8EDF9D5BD308EE1C36D4C2449DB21C90FC73C380C24BDB5AC328DD266E0BBCC0
                                    SHA-512:0249EAE9C42E06D113913BAAA3C66CCA7ECB976AD0CBAA373A718FD57DDF3A3385CF287B07F3CD749D3DC771F789EB82FB651C3799D3FF47F8BFDE6D664FF254
                                    Malicious:false
                                    Preview:..yI3?..t.M.....T.k...C.4c..jJ?..U.gDt.......j.S..X.W`vK.H.....)...0kI......HcC*a.O.4[..TL.;\%}.........r. sj>..Q.J..l..3F.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\AAAAAAAAAAA (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\BBBBBBBBBBB (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\CCCCCCCCCCC (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\DDDDDDDDDDD (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\EEEEEEEEEEE (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\FFFFFFFFFFF (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\GGGGGGGGGGG (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\HHHHHHHHHHH (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\IIIIIIIIIII (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\JJJJJJJJJJJ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\KKKKKKKKKKK (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\LLLLLLLLLLL (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\MMMMMMMMMMM (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\NNNNNNNNNNN (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\OOOOOOOOOOO (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\PPPPPPPPPPP (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\QQQQQQQQQQQ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\RRRRRRRRRRR (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\SSSSSSSSSSS (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\TTTTTTTTTTT (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\UUUUUUUUUUU (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\VVVVVVVVVVV (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\WWWWWWWWWWW (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\XXXXXXXXXXX (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\YYYYYYYYYYY (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\ZZZZZZZZZZZ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.596422798025361
                                    Encrypted:false
                                    SSDEEP:3:lNLaPJ8GCZXCG+L+X8n+ZCOZZoFq4gj0NGOjMVKAKp8:vLEJ8GaSG+MU+PZuQ41GOjMVH
                                    MD5:631FD55B4F375B7912C37744E43EBB8C
                                    SHA1:65283A218CDB6982A4FC08935D9968D4A7AC7A82
                                    SHA-256:98CBFC1211D1C85A38F654D677EAE0FBA56B09E7A973BEAE3B6E7FB4A38B165A
                                    SHA-512:4BB2ACD02DD8787013D2E306DECA7B233EBBCDA7A3BF59BB9DB81661A747ED9FCF5510780962EEF662916B32BBE4FD5680AC80D6E541935B0D55A7DBAB3C6788
                                    Malicious:false
                                    Preview:[..../.\.0.q<..h. .l.)b.r.2...5...ri..S ..r......,|Mz.?......&l.......uO..$=...]..x...W.(.!.g|...4]#D$..g.5.....JO..[?.

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\AAAAAAAAAAA (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\BBBBBBBBBBB (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\CCCCCCCCCCC (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\DDDDDDDDDDD (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\EEEEEEEEEEE (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\FFFFFFFFFFF (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\GGGGGGGGGGG (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\HHHHHHHHHHH (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\IIIIIIIIIII (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\JJJJJJJJJJJ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\KKKKKKKKKKK (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\LLLLLLLLLLL (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\MMMMMMMMMMM (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\NNNNNNNNNNN (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\OOOOOOOOOOO (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\PPPPPPPPPPP (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\QQQQQQQQQQQ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\RRRRRRRRRRR (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\SSSSSSSSSSS (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\TTTTTTTTTTT (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\UUUUUUUUUUU (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\VVVVVVVVVVV (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\WWWWWWWWWWW (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\XXXXXXXXXXX (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\YYYYYYYYYYY (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\ZZZZZZZZZZZ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.648786267034382
                                    Encrypted:false
                                    SSDEEP:3:BZGFMCOlc2qucs2NCo6ozHMmM9BiiMg8zBlqNZ7BRh8g8RKCT3:7GFMNcXGozs9BF/8zBlgHx8RZD
                                    MD5:C8B4102184253FC51DFCF4A5F155AB3F
                                    SHA1:090105C3D9D9643DF928029D80E2E2E53587A2A3
                                    SHA-256:36CDF16A928C238CA23861569229E93848579B213E43C10A442B02ECB8AB7DB0
                                    SHA-512:DAB1A2528998F1E1B013B54873E8B19974BE0085E5A6657EF6A7C98FB6D2A8EA953405F8CB3AE444F32E8106F678338C1105294583FDA6AF57473FFA507FAFD6
                                    Malicious:false
                                    Preview:Y.P./..|...^$."...>*...W.r6.....y..x....;...M...i.... ..*...NL.5....2......V.s2xvv%.V....\.<1....3.!]...#.ED..C.F......g+i...E.G

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\AAAAAAAAAAA (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\BBBBBBBBBBB (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\CCCCCCCCCCC (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\DDDDDDDDDDD (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\EEEEEEEEEEE (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\FFFFFFFFFFF (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\GGGGGGGGGGG (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\HHHHHHHHHHH (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\IIIIIIIIIII (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\JJJJJJJJJJJ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\KKKKKKKKKKK (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\LLLLLLLLLLL (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\MMMMMMMMMMM (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\NNNNNNNNNNN (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\OOOOOOOOOOO (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\PPPPPPPPPPP (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\QQQQQQQQQQQ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\RRRRRRRRRRR (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\SSSSSSSSSSS (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\TTTTTTTTTTT (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\UUUUUUUUUUU (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\VVVVVVVVVVV (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\WWWWWWWWWWW (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\XXXXXXXXXXX (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\YYYYYYYYYYY (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\ZZZZZZZZZZZ (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):6.513051577078358
                                    Encrypted:false
                                    SSDEEP:3:ya5ZnyWFeaY4gFe1BLhgE0lLWCoD3i8dRD/a9lXQn:5yWFeaY4g8PhgE0liCd2S9hQn
                                    MD5:DE610320C9431C1D111F4FA20BB05C68
                                    SHA1:3BC92C9CB3437BA41EE058430BD66910E7D3E32D
                                    SHA-256:411A9C9EB332783F691A39D6FC4AAA5F874C8F1814E252896A31765E0040A82F
                                    SHA-512:99D395682B941EB15F2102649D84E2E3CE8BDFBEC8828E2CE9F37EE8D18CA9E76D1801ABEECA5307C9D840136F556D925403719ECCC030C6B94432E886AFB45E
                                    Malicious:false
                                    Preview:.Tb...'.$0.....E..j.n*...Q~[..N.....#. .7.d...b.Cc.._..+..+.aH.s......|q/.p.....gu..f..pi.Pp........Q.v.b[V..$,P.Q^KIGb.pE9v

                                    C:\$WinREAgent\9yqsodVzM.README.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):194
                                    Entropy (8bit):4.968383678984044
                                    Encrypted:false
                                    SSDEEP:6:QYCVEJ9r7qQFRQnptgGUJtLeOYARUMMCd6yE2:DCVupX2DEqaUNCd6yE2
                                    MD5:D800E57BC807B75A347A97DCACD47E9B
                                    SHA1:4F94193815C6934E72CC65F91393FE451D6B75BB
                                    SHA-256:BC0BB3921720C1B8AACBAA1E0A4B0BB9403CB491FA0E35DACCCDDAE550BE827B
                                    SHA-512:A763EDA98416BCB75ADF0C73014AC2E0C30AC3E988E5B0EB511C04FE6163B377B71BC2FA0A0A5FCBCC335B2A14ABF961D523261AB4CDB451BE90ECD023302BA9
                                    Malicious:false
                                    Preview:Go to https://getsession.org/; download & install; then add 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 to your contacts and send a message with this codename ---> WINDOWS

                                    C:\$WinREAgent\Scratch\9yqsodVzM.README.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):194
                                    Entropy (8bit):4.968383678984044
                                    Encrypted:false
                                    SSDEEP:6:QYCVEJ9r7qQFRQnptgGUJtLeOYARUMMCd6yE2:DCVupX2DEqaUNCd6yE2
                                    MD5:D800E57BC807B75A347A97DCACD47E9B
                                    SHA1:4F94193815C6934E72CC65F91393FE451D6B75BB
                                    SHA-256:BC0BB3921720C1B8AACBAA1E0A4B0BB9403CB491FA0E35DACCCDDAE550BE827B
                                    SHA-512:A763EDA98416BCB75ADF0C73014AC2E0C30AC3E988E5B0EB511C04FE6163B377B71BC2FA0A0A5FCBCC335B2A14ABF961D523261AB4CDB451BE90ECD023302BA9
                                    Malicious:false
                                    Preview:Go to https://getsession.org/; download & install; then add 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 to your contacts and send a message with this codename ---> WINDOWS

                                    C:\9yqsodVzM.README.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):194
                                    Entropy (8bit):4.968383678984044
                                    Encrypted:false
                                    SSDEEP:6:QYCVEJ9r7qQFRQnptgGUJtLeOYARUMMCd6yE2:DCVupX2DEqaUNCd6yE2
                                    MD5:D800E57BC807B75A347A97DCACD47E9B
                                    SHA1:4F94193815C6934E72CC65F91393FE451D6B75BB
                                    SHA-256:BC0BB3921720C1B8AACBAA1E0A4B0BB9403CB491FA0E35DACCCDDAE550BE827B
                                    SHA-512:A763EDA98416BCB75ADF0C73014AC2E0C30AC3E988E5B0EB511C04FE6163B377B71BC2FA0A0A5FCBCC335B2A14ABF961D523261AB4CDB451BE90ECD023302BA9
                                    Malicious:true
                                    Preview:Go to https://getsession.org/; download & install; then add 05c5dbb3e0f6c173dd4ca479587dbeccc1365998ff9042581cd294566645ec7912 to your contacts and send a message with this codename ---> WINDOWS

                                    C:\ProgramData\4BD.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):14336
                                    Entropy (8bit):7.4998500975364095
                                    Encrypted:false
                                    SSDEEP:384:5cFP7VtpK4p+31Mzh79W5vM+ZyUgGq4BtMvAxXCRsi:A7Vf9p+qQ02y5HW6kX
                                    MD5:294E9F64CB1642DD89229FFF0592856B
                                    SHA1:97B148C27F3DA29BA7B18D6AEE8A0DB9102F47C9
                                    SHA-256:917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2
                                    SHA-512:B87D531890BF1577B9B4AF41DDDB2CDBBFA164CF197BD5987DF3A3075983645A3ACBA443E289B7BFD338422978A104F55298FBFE346872DE0895BDE44ADC89CF
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Joe Sandbox View:
                                    • Filename: 98ST13Qdiy.exe, Detection: malicious, Browse
                                    • Filename: c8JakemodH.exe, Detection: malicious, Browse
                                    • Filename: Document.doc.scr.exe, Detection: malicious, Browse
                                    • Filename: Rcqcps3y45.exe, Detection: malicious, Browse
                                    • Filename: LBB.exe, Detection: malicious, Browse
                                    • Filename: lockbit_unpacked.exe, Detection: malicious, Browse
                                    • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                    • Filename: maXk5kqpyK.exe, Detection: malicious, Browse
                                    • Filename: abc.exe, Detection: malicious, Browse
                                    • Filename: 55Seo_SeungJoon44.docx, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YPb.................,...........9.......@....@..........................p.......................@......................A..P....`...............................@......................`@.......................@..`............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...`....P.......4..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\Desktop\71p2xmx6rP.exe

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:modified
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\IIIIIIIIIIIIII (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy)

                                    Download File
                                    Process:C:\ProgramData\4BD.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):148480
                                    Entropy (8bit):7.996808850252919
                                    Encrypted:true
                                    SSDEEP:3072:flF9DZOb/UAp5wJnF/bIvm7NFwVJtBglF9DZOb/UAp5wJnF/bIvm7NFwVJtBglFn:fFG5ir77iCFG5ir77iCF1
                                    MD5:E7F1B30A41BD3511262E45E2E8D03473
                                    SHA1:46649520CA4ED7B35BD2D9DC47344033B6E8D6BE
                                    SHA-256:CEDFE6C43D6C1176821FCA16E39342A9B1C7195DB265BC87E373C3E82004C8EA
                                    SHA-512:EE74874F57FEF311D80DD0CF408903EF7AC266049797218398BF444F34D09F0EFCBFE96B9AC7C1D11468986AB442B736E892AD447FD141F58A91450D136426B4
                                    Malicious:true
                                    Preview:..}jf_..L.x^..d..PO_Z..'.'.~..K.....p..gnnfH..Fn...6..@.G9...O..!rPz.^%`;...}.R..5.i.1-......E.......S..R0?5..H.Z[....WIe#.*S.......;Y2....J...)...\..V3`...r..y.k/.N.>....6...O...{._....+,..].7.,..gm.rP..\v.9.E.ij?..>.v..J..>a...K.D.q[.r&e...3......../.....%.-..{.{.[..0.......xU.|.!J.%..+i....w$....8.56et.....^...E.!.6.......J)b..2.ki;...*.1.;g........<.a^..kT..R.h.n..9..em......Z...1.:..........,.f.z00t*..O..N9.5..U.;.x.2;f.)..w..CCy..&..|..J..j.`D.0l...mwK)V.\e...b.ZFo..^.'...~'.1....M....X.4L;...8.P+../.f,@.*.@...;B.....m.....u..S.&.%.$!.9.`...[b..&..{i...[.0>y;..{\.!v(]H|..\....|.U.....4..=.9&.xe..=....f.H.......u......`sT..f.R.,.?v/......EJS...K....o......t.~..t...|...=..m_.6.l..L.....^..^...X....>.Ll...l.#...&^..B.9.e.9..u..p.2|.[....4.".5..z.U5Q}J...8C..S.\......5.........o...$....*J.-.M.m2.o....w.w.a........m.....4.7.....l.mk..J...)..t.U+z..q.....w..x7+U.%!..J.!.~zp.......^..\&[.....A..o....W.2L..l..V....(....|..=H.oN.D..

                                    \Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

                                    Download File
                                    Process:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):3.7452537105656543
                                    Encrypted:false
                                    SSDEEP:3:2lc5I2Y1AnslrtmFRR:CtGsKRR
                                    MD5:1EEDEF869458CAB5998D7C6F8AB09C00
                                    SHA1:00FD2CD177BFD04B7187A6EC8F4F8411A4895092
                                    SHA-256:EB15CA0DEE653C9A2A5A97A9A54407F350660AA8E1447DCD363956973817D4D7
                                    SHA-512:4AC0994C24687FC9D7DD76890FFE21780065879B01EBC7C230A5E1D6FB0A48EEA7F944CB6FD5FCBEB85F0A9375E7DAED8FEA3D20EF74B5C125FA3DF8B70739DF
                                    Malicious:false
                                    Preview:....4.9.4.1.2.6.....\MAILSLOT\NET\GETDCAEB7D3C9............ ....

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):21
                                    Entropy (8bit):4.20184123230257
                                    Encrypted:false
                                    SSDEEP:3:otl5:otr
                                    MD5:778E4B2E7388E69FFE26C31306991137
                                    SHA1:186314591EAD7B2DD3B31F851C6FBC636F918419
                                    SHA-256:E1342D2A90931E08F4B258FE9FEE93591696749FF68B0CEDAB0EDCAF4DB10569
                                    SHA-512:F8C16BA2BDA900B2A86F92D136DA68ECFE58AD498203D93391B3B1EFFF0AFC8979F177DD39FE6533C9679584DF1DEA69262B43AE784C3EF6D5E73F59148906B9
                                    Malicious:false
                                    Preview:C:\PROGRA~3\4BD.tmp..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.206361284346211
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:71p2xmx6rP.exe
                                    File size:148'480 bytes
                                    MD5:1813e42a2e7867866ae3644ce0f342a7
                                    SHA1:739ae80603b8c2d86c35aa59050341995fec4817
                                    SHA256:ae378e9945904bf8b4c090d697fe2395a511ed2a36176ddfb7530f22dfc32ac8
                                    SHA512:b2cf823c376385f2e92d3df25489d79a16833a5766c29a29b90ccc486844c8de831438ce167570b871a6f4f2317ecc83eafa7cc6da2ee81e7b872077ce3e7828
                                    SSDEEP:3072:S6glyuxE4GsUPnliByocWepJWkCKVaOl4lAF1:S6gDBGpvEByocWeyyVa+4lAF
                                    TLSH:2AE36D21F212D0B3C83718F53736B572F39E4E2C15A96847DAE80F9DACA58132F45A97
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c............................o.............@.................................My....@...........@....................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x41946f
                                    Entrypoint Section:.itext
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:41fb8cb2943df6de998b35a9d28668e8

                                    Entrypoint Preview

                                    Instruction
                                    nop
                                    nop word ptr [eax+eax+00000000h]
                                    call 00007F071CB97C27h
                                    nop dword ptr [eax+00h]
                                    call 00007F071CB84FBAh
                                    nop
                                    call 00007F071CB885A7h
                                    nop dword ptr [eax+00h]
                                    call 00007F071CB96066h
                                    nop word ptr [eax+eax+00h]
                                    push 00000000h
                                    call dword ptr [004255C8h]
                                    nop word ptr [eax+eax+00000000h]
                                    call 00007F071CB979C6h
                                    call 00007F071CB979B5h
                                    call 00007F071CB979A4h
                                    call 00007F071CB979B1h
                                    call 00007F071CB9799Ah
                                    call 00007F071CB97995h
                                    call 00007F071CB97996h
                                    call 00007F071CB979AFh
                                    call 00007F071CB979A4h
                                    call 00007F071CB9796Fh
                                    call 00007F071CB9794Ch
                                    call 00007F071CB97959h
                                    call 00007F071CB97948h
                                    call 00007F071CB97961h
                                    call 00007F071CB97962h
                                    call 00007F071CB9794Bh
                                    call 00007F071CB9793Ah
                                    call 00007F071CB9791Dh
                                    call 00007F071CB97918h
                                    call 00007F071CB97937h
                                    call 00007F071CB9791Ah
                                    call 00007F071CB97903h
                                    call 00007F071CB9790Ah
                                    call 00007F071CB96495h
                                    call 00007F071CB9649Ch
                                    call 00007F071CB96479h
                                    call 00007F071CB96480h

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a2300x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000xfd0.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1a1200x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x70.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x17de80x17e00cfbda2c44e51b3b0b00bcbbc767c62a2False0.48375122709424084data6.634079266913224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .itext0x190000x5460x6006f4cd57381bb5584c0a0755384d25180False0.251953125data2.9337361310958805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x1a0000x4920x600bd829aa493ecd52fe5bec776d207f206False0.3671875data3.5366359784052652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x1b0000xadc80xa000890fbcc4a2a354b5c518c6e6b4632aeeFalse0.9828125SysEx File -7.9880514853425275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .pdata0x260000x59e0x6003f4bf9bbb1401d1c4c635bdc4805d304False0.974609375data7.6801906954842565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .reloc0x270000xfd00x10003f87e4c23650dfad0bee7da98889ba94False0.843505859375GLS_BINARY_LSB_FIRST6.738987246879603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Imports

                                    DLLImport
                                    gdi32.dllSetPixel, SetDCBrushColor, SelectPalette, GetTextColor, GetDeviceCaps, CreateSolidBrush
                                    USER32.dllDefWindowProcW, CreateMenu, EndDialog, GetDlgItem, GetKeyNameTextW, GetMessageW, GetWindowTextW, IsDlgButtonChecked, LoadImageW, LoadMenuW, DialogBoxParamW
                                    KERNEL32.dllSetLastError, LoadLibraryW, GetTickCount, GetLastError, GetCommandLineW, GetCommandLineA, FreeLibrary

                                    Network Behavior

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 25, 2024 00:36:12.024173975 CEST1.1.1.1192.168.2.60xaecdNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                    May 25, 2024 00:36:12.024173975 CEST1.1.1.1192.168.2.60xaecdNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                    May 25, 2024 00:36:13.571372986 CEST1.1.1.1192.168.2.60xa8cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                    May 25, 2024 00:36:13.571372986 CEST1.1.1.1192.168.2.60xa8cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:18:35:52
                                    Start date:24/05/2024
                                    Path:C:\Users\user\Desktop\71p2xmx6rP.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\71p2xmx6rP.exe"
                                    Imagebase:0xe30000
                                    File size:148'480 bytes
                                    MD5 hash:1813E42A2E7867866AE3644CE0F342A7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.2087527978.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:18:35:58
                                    Start date:24/05/2024
                                    Path:C:\ProgramData\4BD.tmp
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\4BD.tmp"
                                    Imagebase:0x400000
                                    File size:14'336 bytes
                                    MD5 hash:294E9F64CB1642DD89229FFF0592856B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 83%, ReversingLabs
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:18:35:59
                                    Start date:24/05/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4BD.tmp >> NUL
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:18:35:59
                                    Start date:24/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:15.1%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:15.7%
                                      Total number of Nodes:1916
                                      Total number of Limit Nodes:7
                                      execution_graph 11401 e3aa20 11403 e3aa43 11401->11403 11402 e3ab2f 11403->11402 11404 e36844 RtlAllocateHeap 11403->11404 11405 e3ab03 11404->11405 11405->11402 11406 e3686c RtlFreeHeap 11405->11406 11406->11402 11407 e40220 11420 e4011d 11407->11420 11408 e4028d 11409 e3686c RtlFreeHeap 11408->11409 11412 e4029b 11408->11412 11409->11412 11410 e369e0 RtlAllocateHeap 11410->11420 11411 e40305 11414 e40313 11411->11414 11415 e3686c RtlFreeHeap 11411->11415 11412->11411 11413 e3e270 NtClose 11412->11413 11413->11411 11416 e40321 11414->11416 11417 e3686c RtlFreeHeap 11414->11417 11415->11414 11418 e4032f 11416->11418 11419 e3686c RtlFreeHeap 11416->11419 11417->11416 11419->11418 11420->11408 11420->11410 11421 e3f6d8 NtSetInformationThread NtClose 11420->11421 11422 e3b3c0 2 API calls 11420->11422 11423 e3686c RtlFreeHeap 11420->11423 11421->11420 11422->11420 11423->11420 11587 e38f66 11588 e38f68 RtlAdjustPrivilege 11587->11588 11589 e397d8 4 API calls 11588->11589 11590 e38fa0 11589->11590 11591 e39010 11590->11591 11592 e39880 NtClose 11590->11592 11594 e39035 11591->11594 11596 e38ecc 4 API calls 11591->11596 11593 e38fae 11592->11593 11593->11591 11595 e38fb7 NtSetInformationThread 11593->11595 11595->11591 11597 e38fcb 11595->11597 11596->11594 11598 e38da8 5 API calls 11597->11598 11599 e38fe0 11598->11599 11599->11591 11600 e39880 NtClose 11599->11600 11601 e38fee 11600->11601 11601->11591 11602 e38be0 2 API calls 11601->11602 11602->11591 11332 e3c064 11333 e36de8 RtlAllocateHeap 11332->11333 11334 e3c080 11333->11334 11335 e3c16b 11334->11335 11336 e36844 RtlAllocateHeap 11334->11336 11337 e3686c RtlFreeHeap 11335->11337 11339 e3c179 11335->11339 11343 e3c097 11336->11343 11337->11339 11338 e3c187 11341 e3c195 11338->11341 11342 e3686c RtlFreeHeap 11338->11342 11339->11338 11340 e3686c RtlFreeHeap 11339->11340 11340->11338 11342->11341 11343->11335 11344 e3686c RtlFreeHeap 11343->11344 11345 e3c0c5 11344->11345 11346 e36844 RtlAllocateHeap 11345->11346 11347 e3c0d5 11346->11347 11347->11335 11348 e36ee4 2 API calls 11347->11348 11349 e3c0eb 11348->11349 11350 e3686c RtlFreeHeap 11349->11350 11351 e3c108 11350->11351 11361 e3bf94 11351->11361 11354 e3c14a 11356 e3bf94 2 API calls 11354->11356 11355 e3b3c0 2 API calls 11355->11354 11357 e3c155 11356->11357 11358 e3bf94 2 API calls 11357->11358 11359 e3c160 11358->11359 11360 e3bf94 2 API calls 11359->11360 11360->11335 11362 e3bfb9 11361->11362 11363 e3c04f 11362->11363 11365 e36844 RtlAllocateHeap 11362->11365 11364 e3c05d 11363->11364 11366 e3686c RtlFreeHeap 11363->11366 11364->11354 11364->11355 11367 e3bfcb 11365->11367 11366->11364 11367->11363 11370 e3bed0 11367->11370 11375 e3bc38 11367->11375 11371 e36934 RtlAllocateHeap 11370->11371 11374 e3beec 11371->11374 11372 e3bf8a 11372->11367 11373 e3686c RtlFreeHeap 11373->11372 11374->11372 11374->11373 11376 e3bc60 11375->11376 11377 e36844 RtlAllocateHeap 11376->11377 11380 e3bc64 11376->11380 11377->11380 11378 e3beb8 11378->11367 11379 e3686c RtlFreeHeap 11379->11378 11380->11378 11380->11379 11424 e3782a 11425 e3782c CoInitialize 11424->11425 11426 e37861 11425->11426 9348 e4946f 9349 e4947e 9348->9349 9356 e3639c 9349->9356 9353 e4948e 9452 e47458 9353->9452 9497 e35aec 9356->9497 9359 e363b6 RtlCreateHeap 9360 e3654d 9359->9360 9361 e363d1 9359->9361 9407 e39990 9360->9407 9362 e35aec 3 API calls 9361->9362 9363 e363ed 9362->9363 9363->9360 9505 e35da0 9363->9505 9366 e35da0 8 API calls 9367 e36419 9366->9367 9368 e35da0 8 API calls 9367->9368 9369 e3642a 9368->9369 9370 e35da0 8 API calls 9369->9370 9371 e3643b 9370->9371 9372 e35da0 8 API calls 9371->9372 9373 e3644c 9372->9373 9374 e35da0 8 API calls 9373->9374 9375 e3645d 9374->9375 9376 e35da0 8 API calls 9375->9376 9377 e3646e 9376->9377 9378 e35da0 8 API calls 9377->9378 9379 e3647f 9378->9379 9380 e35da0 8 API calls 9379->9380 9381 e36490 9380->9381 9382 e35da0 8 API calls 9381->9382 9383 e364a1 9382->9383 9384 e35da0 8 API calls 9383->9384 9385 e364b2 9384->9385 9386 e35da0 8 API calls 9385->9386 9387 e364c3 9386->9387 9388 e35da0 8 API calls 9387->9388 9389 e364d4 9388->9389 9390 e35da0 8 API calls 9389->9390 9391 e364e5 9390->9391 9392 e35da0 8 API calls 9391->9392 9393 e364f6 9392->9393 9394 e35da0 8 API calls 9393->9394 9395 e36507 9394->9395 9396 e35da0 8 API calls 9395->9396 9397 e36518 9396->9397 9398 e35da0 8 API calls 9397->9398 9399 e36529 9398->9399 9400 e35da0 8 API calls 9399->9400 9401 e3653a 9400->9401 9511 e3b444 9401->9511 9403 e36541 9514 e47738 9403->9514 9408 e39995 9407->9408 9561 e36f48 9408->9561 9411 e399d7 9595 e36d40 9411->9595 9412 e3999a 9594 e3b4dc CheckTokenMembership 9412->9594 9414 e399e6 9415 e399f4 9414->9415 9598 e3bb70 9414->9598 9415->9353 9416 e399b9 9416->9411 9630 e3b4fc 9416->9630 9419 e39a00 9601 e3b708 9419->9601 9428 e39a13 9430 e39a9f 9428->9430 9660 e3b1ac 9428->9660 9433 e39ade 9430->9433 9438 e3b674 NtQueryInformationToken 9430->9438 9431 e39a3c 9431->9428 9643 e3ae74 9431->9643 9614 e3c3f8 9433->9614 9445 e39acc 9438->9445 9444 e39a7a 9444->9430 9447 e3686c RtlFreeHeap 9444->9447 9445->9433 9681 e431e8 9445->9681 9448 e39a89 9447->9448 9449 e3686c RtlFreeHeap 9448->9449 9450 e39a94 9449->9450 9451 e3686c RtlFreeHeap 9450->9451 9451->9430 9453 e47482 9452->9453 9454 e474a3 9453->9454 9458 e474b2 9453->9458 9471 e47498 31 API calls 9453->9471 9744 e39bb0 9454->9744 9459 e47624 9458->9459 9460 e47631 9458->9460 9812 e4205c 9459->9812 9462 e47646 9460->9462 9463 e47637 9460->9463 9464 e47656 9462->9464 9465 e4764c 9462->9465 9466 e39bb0 14 API calls 9463->9466 9468 e47675 9464->9468 9469 e4765c 9464->9469 9894 e473ac 9465->9894 9470 e4763c 9466->9470 9473 e47685 9468->9473 9474 e4767b 9468->9474 9905 e46fa0 9469->9905 9863 e41ef4 9470->9863 9476 e476d8 9473->9476 9477 e4768b 9473->9477 9932 e4390c 9474->9932 9481 e476e7 9476->9481 9482 e476de 9476->9482 9480 e476ba 9477->9480 9939 e46da8 9477->9939 9480->9471 9953 e404b4 9480->9953 9985 e3a338 9481->9985 9484 e46bbc 2 API calls 9482->9484 9484->9471 9489 e4771c 9989 e42428 9489->9989 9490 e3a338 2 API calls 9492 e4770b 9490->9492 9492->9489 9493 e47710 9492->9493 9494 e39bb0 14 API calls 9493->9494 9495 e47715 9494->9495 9496 e47034 105 API calls 9495->9496 9496->9471 9498 e35afe 9497->9498 9499 e35b18 9497->9499 9500 e35aec 3 API calls 9498->9500 9501 e35aec 3 API calls 9499->9501 9502 e35b40 9499->9502 9500->9499 9501->9502 9503 e35c0a 9502->9503 9525 e35a84 9502->9525 9503->9359 9503->9360 9540 e35c24 9505->9540 9507 e35dcb 9507->9366 9508 e35aec 3 API calls 9509 e35ddb RtlAllocateHeap 9508->9509 9510 e35db5 9509->9510 9510->9507 9510->9508 9512 e3b458 NtSetInformationThread 9511->9512 9512->9403 9515 e47754 9514->9515 9555 e36844 9515->9555 9517 e36548 9520 e3b470 9517->9520 9519 e47764 9519->9517 9558 e3686c 9519->9558 9521 e35aec 3 API calls 9520->9521 9522 e3b495 9521->9522 9523 e3b4bb 9522->9523 9524 e3b49e NtProtectVirtualMemory 9522->9524 9523->9360 9524->9523 9526 e35ae2 9525->9526 9527 e35ab0 9525->9527 9526->9502 9527->9526 9532 e35a20 9527->9532 9529 e35ac4 9529->9526 9530 e35ad8 9529->9530 9535 e359d4 9530->9535 9533 e35a37 9532->9533 9534 e35a65 LdrLoadDll 9533->9534 9534->9529 9536 e359e3 9535->9536 9537 e35a04 LdrGetProcedureAddress 9535->9537 9539 e359ef LdrGetProcedureAddress 9536->9539 9538 e35a16 9537->9538 9538->9526 9539->9538 9541 e35c37 9540->9541 9542 e35c51 9540->9542 9543 e35aec 3 API calls 9541->9543 9544 e35c79 9542->9544 9545 e35aec 3 API calls 9542->9545 9543->9542 9546 e35aec 3 API calls 9544->9546 9549 e35ca1 9544->9549 9545->9544 9546->9549 9547 e35ce9 FindFirstFileW 9547->9549 9548 e35d5a 9548->9510 9549->9547 9549->9548 9550 e35d37 FindNextFileW 9549->9550 9551 e35d19 FindClose 9549->9551 9550->9549 9552 e35d4b FindClose 9550->9552 9553 e35a20 LdrLoadDll 9551->9553 9552->9549 9554 e35d30 9553->9554 9554->9510 9556 e3684c 9555->9556 9557 e3685a RtlAllocateHeap 9556->9557 9557->9519 9559 e36874 9558->9559 9560 e36882 RtlFreeHeap 9559->9560 9560->9517 9685 e36de8 9561->9685 9563 e36f60 9564 e37237 9563->9564 9565 e36844 RtlAllocateHeap 9563->9565 9564->9412 9569 e36f7d 9565->9569 9566 e3722f 9567 e3686c RtlFreeHeap 9566->9567 9567->9564 9568 e3686c RtlFreeHeap 9568->9566 9569->9566 9570 e37000 9569->9570 9571 e36844 RtlAllocateHeap 9569->9571 9593 e37221 9569->9593 9572 e36844 RtlAllocateHeap 9570->9572 9573 e37033 9570->9573 9571->9570 9572->9573 9574 e37066 9573->9574 9575 e36844 RtlAllocateHeap 9573->9575 9576 e36844 RtlAllocateHeap 9574->9576 9578 e37099 9574->9578 9575->9574 9576->9578 9577 e37132 9584 e36844 RtlAllocateHeap 9577->9584 9585 e37169 9577->9585 9579 e370cc 9578->9579 9580 e36844 RtlAllocateHeap 9578->9580 9581 e36844 RtlAllocateHeap 9579->9581 9582 e370ff 9579->9582 9580->9579 9581->9582 9582->9577 9583 e36844 RtlAllocateHeap 9582->9583 9583->9577 9584->9585 9586 e36844 RtlAllocateHeap 9585->9586 9585->9593 9587 e371a4 9586->9587 9587->9593 9688 e36ee4 9587->9688 9589 e371cc 9590 e36844 RtlAllocateHeap 9589->9590 9591 e371eb 9590->9591 9592 e3686c RtlFreeHeap 9591->9592 9591->9593 9592->9593 9593->9568 9594->9416 9596 e36844 RtlAllocateHeap 9595->9596 9597 e36d55 9596->9597 9597->9414 9599 e36844 RtlAllocateHeap 9598->9599 9600 e3bb81 9599->9600 9600->9419 9602 e3b715 9601->9602 9603 e39a0a 9602->9603 9604 e3b71c RtlAdjustPrivilege 9602->9604 9605 e3b674 9603->9605 9604->9602 9604->9603 9606 e3b68b 9605->9606 9607 e39a0f 9606->9607 9608 e3b68f NtQueryInformationToken 9606->9608 9607->9428 9609 e3b388 9607->9609 9608->9607 9697 e397d8 9609->9697 9611 e3b3a5 9612 e39a29 9611->9612 9707 e39880 9611->9707 9612->9428 9642 e3b4dc CheckTokenMembership 9612->9642 9615 e39af3 9614->9615 9616 e3c418 9614->9616 9624 e3e2b8 9615->9624 9617 e36de8 RtlAllocateHeap 9616->9617 9618 e3c429 9617->9618 9618->9615 9619 e36844 RtlAllocateHeap 9618->9619 9620 e3c445 9619->9620 9621 e3c645 9620->9621 9623 e3686c RtlFreeHeap 9620->9623 9622 e3686c RtlFreeHeap 9621->9622 9622->9615 9623->9621 9625 e3e2d4 9624->9625 9714 e3e350 9625->9714 9627 e3e32a 9628 e39af8 9627->9628 9629 e3686c RtlFreeHeap 9627->9629 9628->9353 9629->9628 9631 e3b511 9630->9631 9632 e36844 RtlAllocateHeap 9631->9632 9633 e399ce 9631->9633 9634 e3b54a 9632->9634 9633->9411 9636 e3babc 9633->9636 9634->9633 9635 e3686c RtlFreeHeap 9634->9635 9635->9633 9637 e3bad1 9636->9637 9638 e3bb66 9637->9638 9718 e39740 9637->9718 9638->9411 9641 e3686c RtlFreeHeap 9641->9638 9642->9431 9644 e3aebf 9643->9644 9655 e3b074 9644->9655 9722 e3ac28 9644->9722 9646 e3aecd 9647 e3b0cf 9646->9647 9648 e3afbb 9646->9648 9646->9655 9650 e36de8 RtlAllocateHeap 9647->9650 9647->9655 9649 e36de8 RtlAllocateHeap 9648->9649 9648->9655 9651 e3afee 9649->9651 9652 e3b0fe 9650->9652 9654 e3686c RtlFreeHeap 9651->9654 9651->9655 9653 e3686c RtlFreeHeap 9652->9653 9652->9655 9653->9655 9656 e3b010 9654->9656 9655->9428 9656->9655 9657 e36de8 RtlAllocateHeap 9656->9657 9658 e3b056 9657->9658 9658->9655 9659 e3686c RtlFreeHeap 9658->9659 9659->9655 9661 e3b1ca 9660->9661 9662 e36844 RtlAllocateHeap 9661->9662 9664 e3b1d5 9662->9664 9663 e39a58 9663->9430 9674 e3b5b8 9663->9674 9664->9663 9665 e3686c RtlFreeHeap 9664->9665 9668 e3b1f6 9665->9668 9666 e3b350 9667 e3686c RtlFreeHeap 9666->9667 9667->9663 9668->9666 9731 e36e18 9668->9731 9670 e3b306 9671 e36e18 RtlAllocateHeap 9670->9671 9672 e3b32b 9671->9672 9673 e36e18 RtlAllocateHeap 9672->9673 9673->9666 9676 e3b5cd 9674->9676 9675 e39a71 9675->9430 9680 e3b4dc CheckTokenMembership 9675->9680 9676->9675 9677 e36844 RtlAllocateHeap 9676->9677 9679 e3b606 9677->9679 9678 e3686c RtlFreeHeap 9678->9675 9679->9675 9679->9678 9680->9444 9682 e431f8 9681->9682 9684 e43256 9682->9684 9734 e42f58 9682->9734 9684->9433 9686 e36844 RtlAllocateHeap 9685->9686 9687 e36df9 9686->9687 9687->9563 9689 e36f0b 9688->9689 9694 e36e8c 9689->9694 9691 e36f2b 9692 e3686c RtlFreeHeap 9691->9692 9693 e36f3f 9692->9693 9693->9589 9695 e36844 RtlAllocateHeap 9694->9695 9696 e36eaf 9695->9696 9696->9691 9698 e36844 RtlAllocateHeap 9697->9698 9701 e397f6 9698->9701 9699 e397f9 NtQuerySystemInformation 9700 e3980f 9699->9700 9699->9701 9700->9611 9705 e3686c RtlFreeHeap 9700->9705 9701->9699 9702 e3982c 9701->9702 9711 e36894 9701->9711 9704 e3686c RtlFreeHeap 9702->9704 9704->9700 9706 e39872 9705->9706 9706->9611 9710 e398a5 9707->9710 9708 e39977 9708->9612 9709 e3996e NtClose 9709->9708 9710->9708 9710->9709 9712 e3689c 9711->9712 9713 e368aa RtlReAllocateHeap 9712->9713 9713->9701 9715 e3e35c 9714->9715 9717 e3e369 9714->9717 9716 e36844 RtlAllocateHeap 9715->9716 9715->9717 9716->9717 9717->9627 9719 e39752 9718->9719 9721 e3977a 9718->9721 9720 e36844 RtlAllocateHeap 9719->9720 9720->9721 9721->9641 9723 e36844 RtlAllocateHeap 9722->9723 9724 e3ac4d 9723->9724 9725 e3ac83 9724->9725 9726 e36894 RtlReAllocateHeap 9724->9726 9730 e3ac66 9724->9730 9727 e3686c RtlFreeHeap 9725->9727 9726->9724 9727->9730 9728 e3686c RtlFreeHeap 9729 e3adb0 9728->9729 9729->9646 9730->9646 9730->9728 9732 e36844 RtlAllocateHeap 9731->9732 9733 e36e2a 9732->9733 9733->9670 9736 e42f69 9734->9736 9735 e430f7 9735->9684 9736->9735 9738 e3b3c0 9736->9738 9739 e3b3d2 9738->9739 9740 e3b3cf 9738->9740 9739->9740 9741 e3b419 NtSetInformationThread 9739->9741 9740->9735 9742 e3b42f NtClose 9741->9742 9743 e3b42e 9741->9743 9742->9740 9743->9742 9745 e39bc3 9744->9745 9746 e39c5e 9744->9746 10026 e37fbc 9745->10026 9752 e47034 KiUserCallbackDispatcher 9746->9752 9748 e39c11 10030 e368ec 9748->10030 9750 e404b4 14 API calls 9750->9748 9762 e47059 9752->9762 9768 e470ff 9752->9768 9753 e47145 CreateThread CreateThread 9755 e47183 9753->9755 9756 e4717e 9753->9756 10493 e37468 GetLogicalDriveStringsW 9753->10493 10498 e3782c CoInitialize 9753->10498 9754 e4711a CreateThread 9754->9753 9758 e47135 9754->9758 10478 e38f68 RtlAdjustPrivilege 9754->10478 9760 e471a4 9755->9760 9761 e4718c CreateThread 9755->9761 10036 e37ca4 OpenSCManagerW 9756->10036 9757 e470bc 9764 e39c64 3 API calls 9757->9764 9757->9768 9758->9753 9772 e47221 9760->9772 10044 e3b734 9760->10044 9761->9760 10500 e37e58 9761->10500 9762->9757 10145 e39c64 9762->10145 9764->9768 9766 e4727f 9770 e472a3 9766->9770 9771 e47288 CreateThread 9766->9771 9767 e4726b NtTerminateThread 9767->9766 9768->9753 9768->9754 9776 e47392 9770->9776 9799 e472c3 9770->9799 9771->9770 10473 e39628 9771->10473 9772->9766 9772->9767 9775 e47201 9779 e47214 9775->9779 9784 e3e2b8 2 API calls 9775->9784 10188 e41934 9776->10188 10120 e3e270 9779->10120 9783 e47339 9785 e3b674 NtQueryInformationToken 9783->9785 9789 e4720f 9784->9789 9791 e4733e 9785->9791 9788 e3e2b8 2 API calls 9794 e471f2 9788->9794 10098 e3fc88 9789->10098 9795 e47342 9791->9795 9796 e47349 9791->9796 9792 e3e2b8 2 API calls 9792->9772 10067 e40a38 9794->10067 10166 e38960 9795->10166 10170 e38230 9796->10170 9799->9783 10124 e3da00 9799->10124 9801 e47390 9801->9471 9803 e471f7 9804 e3e2b8 2 API calls 9803->9804 9806 e471fc 9804->9806 10074 e40be4 9806->10074 9807 e47347 9807->9801 10139 e39640 9807->10139 9811 e404b4 14 API calls 9811->9801 9813 e36934 RtlAllocateHeap 9812->9813 9815 e42074 9813->9815 9814 e4210d 9814->9471 9815->9814 9816 e420a5 9815->9816 9817 e42096 9815->9817 10639 e37428 9816->10639 10611 e40000 9817->10611 9821 e42105 9822 e3686c RtlFreeHeap 9821->9822 9822->9814 9823 e36844 RtlAllocateHeap 9855 e420ea 9823->9855 9824 e42122 9825 e3686c RtlFreeHeap 9824->9825 9825->9814 9826 e42196 9829 e3686c RtlFreeHeap 9826->9829 9827 e3a338 2 API calls 9827->9855 9828 e3a280 NtSetInformationThread NtClose 9828->9855 9829->9814 9830 e4236f 9831 e3686c RtlFreeHeap 9830->9831 9831->9814 9832 e4228e 9833 e3686c RtlFreeHeap 9832->9833 9833->9814 9834 e422a1 10651 e3a3dc 9834->10651 9835 e3686c RtlFreeHeap 9835->9855 9836 e42271 9838 e3686c RtlFreeHeap 9836->9838 9837 e423a1 9841 e36984 RtlAllocateHeap 9837->9841 9838->9814 9839 e422c5 9843 e42323 9839->9843 9844 e4232d 9839->9844 9840 e42382 9840->9837 9845 e42397 9840->9845 9846 e423fa 9841->9846 9849 e36984 RtlAllocateHeap 9843->9849 10655 e36a74 9844->10655 9851 e3686c RtlFreeHeap 9845->9851 9852 e3686c RtlFreeHeap 9846->9852 9854 e4232b 9849->9854 9851->9814 9856 e42403 9852->9856 9853 e422b8 9857 e3686c RtlFreeHeap 9853->9857 9858 e3686c RtlFreeHeap 9854->9858 9855->9814 9855->9821 9855->9823 9855->9824 9855->9826 9855->9827 9855->9828 9855->9830 9855->9832 9855->9834 9855->9835 9855->9836 9855->9837 9855->9839 9855->9840 9859 e3ab68 NtSetInformationThread NtClose 9855->9859 10645 e3a958 9855->10645 9856->9814 9860 e4096c 8 API calls 9856->9860 9857->9814 9861 e4233e 9858->9861 9859->9855 9860->9814 9861->9814 10659 e4096c 9861->10659 9864 e41d28 2 API calls 9863->9864 9865 e41f02 9864->9865 9866 e41f06 9865->9866 9867 e41f27 9865->9867 9869 e41f22 9866->9869 9871 e404b4 14 API calls 9866->9871 9868 e39640 2 API calls 9867->9868 9870 e41f2c 9868->9870 9869->9471 9872 e41f30 9870->9872 9873 e41f3a 9870->9873 9871->9869 9874 e47034 105 API calls 9872->9874 10670 e3b4dc CheckTokenMembership 9873->10670 9876 e41f35 9874->9876 9876->9471 9877 e42056 9877->9471 9878 e41fb5 9879 e41ffe 9878->9879 9884 e39c64 3 API calls 9878->9884 10671 e40e30 9879->10671 9880 e39c64 3 API calls 9880->9878 9882 e41f3f 9882->9877 9882->9878 9882->9880 9884->9879 9888 e4202b 9888->9877 10719 e41170 9888->10719 9891 e38230 2 API calls 9892 e4204f 9891->9892 9893 e416ac 2 API calls 9892->9893 9893->9877 10758 e41be8 9894->10758 9897 e38230 2 API calls 9898 e473bf 9897->9898 9899 e3b674 NtQueryInformationToken 9898->9899 9902 e473d8 9899->9902 9900 e47450 9900->9471 9901 e39640 2 API calls 9903 e47430 9901->9903 9902->9900 9902->9901 9904 e404b4 14 API calls 9903->9904 9904->9900 9906 e43954 RtlAllocateHeap 9905->9906 9911 e46fb2 9906->9911 9907 e47021 9908 e4702f 9907->9908 9909 e3686c RtlFreeHeap 9907->9909 9920 e46bbc 9908->9920 9909->9908 9910 e46ff6 10789 e43ea0 9910->10789 9911->9907 9911->9910 10771 e46490 9911->10771 9917 e47017 9919 e43ea0 2 API calls 9917->9919 9919->9907 9921 e46bd0 9920->9921 9922 e46d9f 9920->9922 9923 e43954 RtlAllocateHeap 9921->9923 9922->9471 9928 e46be0 9923->9928 9924 e46d91 9924->9922 9927 e3686c RtlFreeHeap 9924->9927 9925 e46c86 9925->9924 9926 e3686c RtlFreeHeap 9925->9926 9926->9924 9927->9922 9928->9925 9929 e36844 RtlAllocateHeap 9928->9929 9930 e46ca8 9929->9930 9930->9925 11097 e46688 9930->11097 9933 e43954 RtlAllocateHeap 9932->9933 9937 e4391e 9933->9937 9934 e43942 9935 e43950 9934->9935 9936 e3686c RtlFreeHeap 9934->9936 9935->9471 9936->9935 9937->9934 11107 e43784 9937->11107 9940 e46dc4 9939->9940 9941 e36de8 RtlAllocateHeap 9940->9941 9942 e46ed5 9941->9942 9943 e36de8 RtlAllocateHeap 9942->9943 9952 e46ede 9942->9952 9944 e46eef 9943->9944 9948 e36de8 RtlAllocateHeap 9944->9948 9944->9952 9945 e46f7b 9947 e46f89 9945->9947 9949 e3686c RtlFreeHeap 9945->9949 9946 e3686c RtlFreeHeap 9946->9945 9950 e46f97 9947->9950 9951 e3686c RtlFreeHeap 9947->9951 9948->9952 9949->9947 9950->9480 9951->9950 9952->9945 9952->9946 9954 e404e9 9953->9954 9955 e36de8 RtlAllocateHeap 9954->9955 9956 e40562 9955->9956 9957 e36844 RtlAllocateHeap 9956->9957 9958 e4056b 9956->9958 9960 e40582 9957->9960 9959 e40930 9958->9959 9961 e3686c RtlFreeHeap 9958->9961 9962 e4093e 9959->9962 9964 e3686c RtlFreeHeap 9959->9964 9960->9958 11125 e40338 9960->11125 9961->9959 9965 e4094c 9962->9965 9968 e3686c RtlFreeHeap 9962->9968 9964->9962 9966 e4095a 9965->9966 9969 e3686c RtlFreeHeap 9965->9969 9966->9471 9967 e405b3 9967->9958 9970 e405d4 GetTempFileNameW CreateFileW 9967->9970 9968->9965 9969->9966 9970->9958 9971 e40619 WriteFile 9970->9971 9971->9958 9972 e40635 CreateProcessW 9971->9972 9972->9958 9974 e4069f NtQueryInformationProcess 9972->9974 9974->9958 9975 e406c3 NtReadVirtualMemory 9974->9975 9975->9958 9976 e406ea 9975->9976 9977 e36de8 RtlAllocateHeap 9976->9977 9978 e406f4 9977->9978 9978->9958 9979 e40758 NtProtectVirtualMemory 9978->9979 9979->9958 9980 e40784 NtWriteVirtualMemory 9979->9980 9980->9958 9981 e4079e 9980->9981 9981->9958 9982 e40801 NtDuplicateObject 9981->9982 9982->9958 9983 e40829 CreateNamedPipeW 9982->9983 9983->9958 9984 e40895 ResumeThread ConnectNamedPipe 9983->9984 9984->9958 9986 e3a35b 9985->9986 9987 e3b3c0 2 API calls 9986->9987 9988 e3a375 9986->9988 9987->9988 9988->9489 9988->9490 9990 e36934 RtlAllocateHeap 9989->9990 10016 e42440 9990->10016 9991 e3a338 2 API calls 9991->10016 9992 e425bc 9993 e3686c RtlFreeHeap 9992->9993 9997 e424c6 9993->9997 9994 e424db 9999 e3686c RtlFreeHeap 9994->9999 9995 e424ee 10003 e3a3dc 2 API calls 9995->10003 9996 e3a280 NtSetInformationThread NtClose 9996->10016 9997->9471 9998 e425cf 10001 e425ee 9998->10001 10006 e425e4 9998->10006 9999->9997 10000 e424be 10004 e3686c RtlFreeHeap 10000->10004 10002 e36984 RtlAllocateHeap 10001->10002 10007 e42647 10002->10007 10008 e42501 10003->10008 10004->9997 10005 e42512 10009 e42570 10005->10009 10010 e4257a 10005->10010 10011 e3686c RtlFreeHeap 10006->10011 10012 e3686c RtlFreeHeap 10007->10012 10008->10005 10013 e42505 10008->10013 10014 e36984 RtlAllocateHeap 10009->10014 10015 e36a74 RtlAllocateHeap 10010->10015 10011->9997 10017 e42650 10012->10017 10018 e3686c RtlFreeHeap 10013->10018 10019 e42578 10014->10019 10015->10019 10016->9991 10016->9992 10016->9994 10016->9995 10016->9996 10016->9997 10016->9998 10016->10000 10016->10001 10016->10005 10020 e3ab68 NtSetInformationThread NtClose 10016->10020 10023 e3686c RtlFreeHeap 10016->10023 10017->9997 10022 e4096c 8 API calls 10017->10022 10018->9997 10021 e3686c RtlFreeHeap 10019->10021 10020->10016 10024 e4258b 10021->10024 10022->9997 10023->10016 10024->9997 10025 e4096c 8 API calls 10024->10025 10025->9997 10028 e37fd5 10026->10028 10027 e3808e 10027->9748 10027->9750 10028->10027 10033 e368c0 10028->10033 10031 e3686c RtlFreeHeap 10030->10031 10032 e368fb 10031->10032 10032->9746 10034 e36844 RtlAllocateHeap 10033->10034 10035 e368d6 10034->10035 10035->10027 10037 e37cd2 10036->10037 10038 e37dda 10036->10038 10040 e36844 RtlAllocateHeap 10037->10040 10039 e37df7 10038->10039 10041 e3686c RtlFreeHeap 10038->10041 10039->9755 10042 e37d01 10040->10042 10041->10039 10042->10038 10217 e3dc60 10042->10217 10045 e368c0 RtlAllocateHeap 10044->10045 10046 e3b73c 10045->10046 10047 e3b742 NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess 10046->10047 10048 e3b784 10046->10048 10049 e368ec RtlFreeHeap 10047->10049 10050 e3e1e8 10048->10050 10049->10048 10053 e3e1f5 10050->10053 10051 e3e25a 10051->9772 10051->9775 10056 e3a68c 10051->10056 10052 e3e22a CreateThread 10052->10053 10221 e3de78 SetThreadPriority 10052->10221 10053->10051 10053->10052 10054 e3b444 NtSetInformationThread 10053->10054 10055 e3e24b NtClose 10054->10055 10055->10053 10057 e3a6b3 GetVolumeNameForVolumeMountPointW 10056->10057 10059 e3a6f6 FindFirstVolumeW 10057->10059 10062 e3a947 10059->10062 10066 e3a712 10059->10066 10060 e3a72b GetVolumePathNamesForVolumeNameW 10060->10066 10061 e3a75c GetDriveTypeW 10061->10066 10062->9788 10063 e3a7fd CreateFileW 10064 e3a823 DeviceIoControl 10063->10064 10063->10066 10064->10066 10065 e3a600 6 API calls 10065->10066 10066->10060 10066->10061 10066->10062 10066->10063 10066->10065 10068 e40a92 10067->10068 10071 e40b08 10068->10071 10073 e40b63 10068->10073 10225 e3b4dc CheckTokenMembership 10068->10225 10070 e40b0c 10070->9803 10071->10070 10226 e36984 10071->10226 10073->9803 10075 e40bf9 10074->10075 10230 e3a488 CreateThread 10075->10230 10077 e40c0b 10078 e36844 RtlAllocateHeap 10077->10078 10097 e40c11 10077->10097 10080 e40c23 10078->10080 10079 e40e0a 10081 e40e18 10079->10081 10084 e3686c RtlFreeHeap 10079->10084 10083 e3a488 6 API calls 10080->10083 10080->10097 10085 e40e26 10081->10085 10087 e3686c RtlFreeHeap 10081->10087 10082 e3686c RtlFreeHeap 10082->10079 10086 e40c40 10083->10086 10084->10081 10085->9775 10088 e36844 RtlAllocateHeap 10086->10088 10086->10097 10087->10085 10089 e40c5b 10088->10089 10090 e36844 RtlAllocateHeap 10089->10090 10089->10097 10096 e40c76 10090->10096 10092 e36984 RtlAllocateHeap 10093 e40cd2 CreateThread 10092->10093 10093->10096 10248 e3f308 GetFileAttributesW 10093->10248 10094 e36984 RtlAllocateHeap 10094->10096 10095 e3b3c0 2 API calls 10095->10096 10096->10092 10096->10094 10096->10095 10096->10097 10238 e3a1c0 CreateThread 10096->10238 10097->10079 10097->10082 10099 e3fcb4 10098->10099 10100 e36844 RtlAllocateHeap 10099->10100 10101 e3fcc1 10100->10101 10102 e3fcca 10101->10102 10401 e3f82c 10101->10401 10105 e3ffdb 10102->10105 10107 e3686c RtlFreeHeap 10102->10107 10106 e3ffe9 10105->10106 10108 e3686c RtlFreeHeap 10105->10108 10109 e3fff7 10106->10109 10111 e3686c RtlFreeHeap 10106->10111 10107->10105 10108->10106 10109->9779 10110 e36844 RtlAllocateHeap 10112 e3fcf7 10110->10112 10111->10109 10112->10102 10113 e36844 RtlAllocateHeap 10112->10113 10119 e3fd12 10113->10119 10114 e3f59c NtSetInformationThread NtClose 10114->10119 10116 e3686c RtlFreeHeap 10116->10119 10117 e3f6d8 NtSetInformationThread NtClose 10117->10119 10118 e3b3c0 2 API calls 10118->10119 10119->10102 10119->10114 10119->10116 10119->10117 10119->10118 10407 e369e0 10119->10407 10121 e3e2a7 10120->10121 10122 e3e27b 10120->10122 10121->9792 10122->10121 10123 e3e29b NtClose 10122->10123 10123->10121 10411 e3cedc 10124->10411 10126 e3da39 10133 e36de8 RtlAllocateHeap 10126->10133 10136 e3da42 10126->10136 10127 e3db6a 10128 e3db78 10127->10128 10130 e3686c RtlFreeHeap 10127->10130 10131 e3db86 10128->10131 10132 e3686c RtlFreeHeap 10128->10132 10129 e3686c RtlFreeHeap 10129->10127 10130->10128 10131->9783 10132->10131 10134 e3da8f 10133->10134 10135 e36844 RtlAllocateHeap 10134->10135 10134->10136 10137 e3dac5 10135->10137 10136->10127 10136->10129 10137->10136 10415 e3cfcc 10137->10415 10142 e39669 10139->10142 10140 e39735 10140->9811 10141 e3686c RtlFreeHeap 10141->10140 10144 e39698 10142->10144 10454 e3c8c4 10142->10454 10144->10140 10144->10141 10147 e39c96 10145->10147 10146 e39c9a 10146->9757 10147->10146 10460 e43954 10147->10460 10149 e3a04a 10151 e3a05e 10149->10151 10153 e3686c RtlFreeHeap 10149->10153 10150 e3686c RtlFreeHeap 10150->10149 10152 e3a072 10151->10152 10154 e3686c RtlFreeHeap 10151->10154 10155 e3a086 10152->10155 10156 e3686c RtlFreeHeap 10152->10156 10153->10151 10154->10152 10155->9757 10156->10155 10157 e39e11 10158 e3b674 NtQueryInformationToken 10157->10158 10162 e39e20 10157->10162 10159 e39ee2 10158->10159 10160 e36de8 RtlAllocateHeap 10159->10160 10159->10162 10161 e39f25 10160->10161 10161->10162 10163 e36de8 RtlAllocateHeap 10161->10163 10162->10149 10162->10150 10164 e39f45 10163->10164 10164->10162 10165 e36de8 RtlAllocateHeap 10164->10165 10165->10162 10167 e38971 10166->10167 10168 e3b3c0 2 API calls 10167->10168 10169 e38b6c 10167->10169 10168->10169 10169->9807 10171 e3828b 10170->10171 10176 e38290 10170->10176 10172 e38909 10171->10172 10173 e3686c RtlFreeHeap 10171->10173 10174 e3686c RtlFreeHeap 10172->10174 10175 e38917 10172->10175 10173->10172 10174->10175 10175->9807 10176->10171 10177 e36844 RtlAllocateHeap 10176->10177 10178 e383cf 10177->10178 10178->10171 10179 e38401 10178->10179 10180 e383e7 10178->10180 10181 e36de8 RtlAllocateHeap 10179->10181 10182 e36de8 RtlAllocateHeap 10180->10182 10183 e383f1 10181->10183 10182->10183 10183->10171 10184 e38434 10183->10184 10186 e38448 10183->10186 10185 e3686c RtlFreeHeap 10184->10185 10185->10171 10186->10171 10463 e36c98 10186->10463 10189 e36de8 RtlAllocateHeap 10188->10189 10192 e41967 10189->10192 10190 e41aa8 10191 e41ab6 10190->10191 10194 e3686c RtlFreeHeap 10190->10194 10195 e41ac4 10191->10195 10197 e3686c RtlFreeHeap 10191->10197 10202 e41970 10192->10202 10467 e418b8 10192->10467 10193 e3686c RtlFreeHeap 10193->10190 10194->10191 10205 e41d28 10195->10205 10197->10195 10198 e419a4 10199 e36934 RtlAllocateHeap 10198->10199 10198->10202 10200 e419bf 10199->10200 10201 e36de8 RtlAllocateHeap 10200->10201 10200->10202 10203 e41a25 10201->10203 10202->10190 10202->10193 10204 e3686c RtlFreeHeap 10203->10204 10204->10202 10206 e41e2c 10205->10206 10208 e41e5a 10206->10208 10470 e41c34 10206->10470 10209 e41eeb 10208->10209 10210 e3686c RtlFreeHeap 10208->10210 10211 e416ac 10209->10211 10210->10209 10212 e416c4 10211->10212 10213 e36de8 RtlAllocateHeap 10212->10213 10214 e416fe 10213->10214 10215 e41707 10214->10215 10216 e3686c RtlFreeHeap 10214->10216 10215->9801 10216->10215 10218 e3dcba 10217->10218 10219 e3dcd2 10218->10219 10220 e3dcbe NtTerminateProcess 10218->10220 10219->10042 10220->10219 10224 e3de8f 10221->10224 10222 e3dee2 10223 e3686c RtlFreeHeap 10223->10224 10224->10222 10224->10223 10225->10071 10227 e3699c 10226->10227 10228 e369b2 10227->10228 10229 e36844 RtlAllocateHeap 10227->10229 10228->10073 10229->10228 10231 e3a524 10230->10231 10232 e3a4c8 10230->10232 10246 e3a470 GetLogicalDriveStringsW 10230->10246 10231->10077 10233 e3a4fa ResumeThread 10232->10233 10234 e3b3c0 2 API calls 10232->10234 10235 e3a50e GetExitCodeThread 10233->10235 10236 e3a4d9 10234->10236 10235->10231 10236->10233 10237 e3a4dd 10236->10237 10237->10077 10239 e3a24f 10238->10239 10241 e3a1f3 10238->10241 10247 e3a1b0 GetDriveTypeW 10238->10247 10239->10096 10240 e3a225 ResumeThread 10243 e3a239 GetExitCodeThread 10240->10243 10241->10240 10242 e3b3c0 2 API calls 10241->10242 10244 e3a204 10242->10244 10243->10239 10244->10240 10245 e3a208 10244->10245 10245->10096 10249 e3f37f SetThreadPriority 10248->10249 10251 e3f321 10248->10251 10254 e3f38e 10249->10254 10250 e3f371 10252 e3686c RtlFreeHeap 10250->10252 10251->10250 10299 e3a094 FindFirstFileExW 10251->10299 10255 e3f379 10252->10255 10257 e36844 RtlAllocateHeap 10254->10257 10275 e3f3ad 10257->10275 10258 e3f34b 10260 e3c19c 11 API calls 10258->10260 10261 e3f355 10260->10261 10302 e3ef6c 10261->10302 10264 e3686c RtlFreeHeap 10266 e3f3dd FindFirstFileExW 10264->10266 10266->10275 10267 e3686c RtlFreeHeap 10267->10275 10268 e3f54c 10269 e3686c RtlFreeHeap 10268->10269 10272 e3f56f 10269->10272 10270 e3f514 FindNextFileW 10271 e3f52c FindClose 10270->10271 10270->10275 10271->10275 10273 e3f1c8 RtlAllocateHeap 10273->10275 10274 e3ef6c 4 API calls 10274->10275 10275->10264 10275->10267 10275->10268 10275->10270 10275->10273 10275->10274 10276 e3c19c 10275->10276 10295 e3f164 10275->10295 10277 e3c1b8 10276->10277 10281 e3c1b3 10276->10281 10329 e36934 10277->10329 10280 e3c1d0 GetFileAttributesW 10282 e3c1e0 10280->10282 10281->10275 10283 e3c225 10282->10283 10284 e3c23e 10282->10284 10287 e3c28c 6 API calls 10283->10287 10285 e3c246 10284->10285 10286 e3c255 GetFileAttributesW 10284->10286 10333 e3c28c CreateFileW 10285->10333 10289 e3c262 10286->10289 10290 e3c26e CopyFileW 10286->10290 10291 e3c22d 10287->10291 10293 e3686c RtlFreeHeap 10289->10293 10294 e3686c RtlFreeHeap 10290->10294 10292 e3686c RtlFreeHeap 10291->10292 10292->10281 10293->10285 10294->10281 10296 e3f17c 10295->10296 10297 e3f192 10296->10297 10298 e36844 RtlAllocateHeap 10296->10298 10297->10275 10298->10297 10300 e3a0e5 10299->10300 10301 e3a0c5 FindClose 10299->10301 10300->10250 10300->10258 10301->10300 10303 e3f155 10302->10303 10304 e3ef8d 10302->10304 10344 e3e3ac 10304->10344 10307 e3f14d 10308 e3686c RtlFreeHeap 10307->10308 10308->10303 10310 e3efa5 10310->10307 10311 e3efb9 10310->10311 10312 e3efcc 10310->10312 10354 e3ec00 10311->10354 10358 e3ece4 10312->10358 10315 e3f034 10316 e3686c RtlFreeHeap 10315->10316 10319 e3eff9 10316->10319 10317 e3686c RtlFreeHeap 10318 e3efc7 10317->10318 10318->10307 10318->10315 10318->10317 10318->10319 10321 e3ece4 RtlAllocateHeap 10318->10321 10326 e3f075 10319->10326 10362 e3ed30 10319->10362 10320 e3686c RtlFreeHeap 10320->10307 10321->10318 10324 e3f0ba 10325 e3686c RtlFreeHeap 10324->10325 10325->10326 10326->10307 10326->10320 10327 e3f0dc 10327->10326 10328 e3686c RtlFreeHeap 10327->10328 10328->10326 10330 e3694a 10329->10330 10331 e36961 10330->10331 10332 e36844 RtlAllocateHeap 10330->10332 10331->10280 10331->10281 10332->10331 10334 e3c3ed 10333->10334 10335 e3c2bd 10333->10335 10334->10281 10336 e3c2f5 WriteFile 10335->10336 10337 e3c31a 10336->10337 10338 e3c32c WriteFile 10336->10338 10337->10281 10339 e3c353 NtClose 10338->10339 10340 e3c365 WriteFile 10338->10340 10339->10281 10341 e3c38a 10340->10341 10342 e3c39c WriteFile 10340->10342 10341->10281 10342->10335 10343 e3c3c3 10342->10343 10343->10281 10345 e3e3c5 10344->10345 10346 e3e40b 10345->10346 10382 e3de48 10345->10382 10346->10307 10348 e3e45c 10346->10348 10350 e3e47b 10348->10350 10349 e3e508 10349->10310 10350->10349 10351 e3e350 RtlAllocateHeap 10350->10351 10352 e3e4eb 10351->10352 10352->10349 10353 e3686c RtlFreeHeap 10352->10353 10353->10349 10355 e3ec0d 10354->10355 10356 e36934 RtlAllocateHeap 10355->10356 10357 e3ec19 10356->10357 10357->10318 10359 e3ecf2 10358->10359 10360 e36934 RtlAllocateHeap 10359->10360 10361 e3ed01 10360->10361 10361->10318 10363 e3ed60 10362->10363 10364 e3ed91 10363->10364 10365 e3e2b8 2 API calls 10363->10365 10366 e36844 RtlAllocateHeap 10364->10366 10365->10364 10373 e3ed9d 10366->10373 10367 e3ef39 10369 e3ef47 10367->10369 10370 e3686c RtlFreeHeap 10367->10370 10368 e3686c RtlFreeHeap 10368->10367 10371 e3ef55 10369->10371 10372 e3686c RtlFreeHeap 10369->10372 10370->10369 10371->10324 10371->10326 10371->10327 10372->10371 10374 e36844 RtlAllocateHeap 10373->10374 10381 e3eee4 10373->10381 10375 e3edfa 10374->10375 10376 e36844 RtlAllocateHeap 10375->10376 10375->10381 10377 e3ee29 10376->10377 10378 e36844 RtlAllocateHeap 10377->10378 10377->10381 10379 e3eedb 10378->10379 10380 e3686c RtlFreeHeap 10379->10380 10379->10381 10380->10381 10381->10367 10381->10368 10383 e3de53 10382->10383 10384 e3de60 10383->10384 10386 e3dce4 10383->10386 10384->10345 10387 e3dd1b 10386->10387 10390 e3ddf0 10387->10390 10391 e36844 RtlAllocateHeap 10387->10391 10388 e3de3d 10388->10384 10389 e3686c RtlFreeHeap 10389->10388 10390->10388 10390->10389 10392 e3dd74 10391->10392 10392->10390 10393 e36894 RtlReAllocateHeap 10392->10393 10394 e3dd9d 10392->10394 10393->10392 10394->10390 10396 e3dc60 NtTerminateProcess 10394->10396 10397 e3db90 10394->10397 10396->10394 10399 e3dbb0 10397->10399 10398 e3dc2d 10398->10394 10399->10398 10400 e3dc60 NtTerminateProcess 10399->10400 10400->10398 10404 e3f861 10401->10404 10402 e3fa12 10402->10102 10402->10110 10403 e36844 RtlAllocateHeap 10403->10404 10404->10402 10404->10403 10405 e3f8ee 10404->10405 10405->10402 10406 e36844 RtlAllocateHeap 10405->10406 10406->10405 10408 e369f9 10407->10408 10409 e36844 RtlAllocateHeap 10408->10409 10410 e36a19 10409->10410 10410->10119 10413 e3cef8 10411->10413 10412 e3cf7d 10412->10126 10413->10412 10414 e36844 RtlAllocateHeap 10413->10414 10414->10412 10416 e3d01f 10415->10416 10417 e3d024 10415->10417 10419 e3d45e 10416->10419 10420 e3686c RtlFreeHeap 10416->10420 10417->10416 10418 e36844 RtlAllocateHeap 10417->10418 10427 e3d065 10418->10427 10421 e3d46c 10419->10421 10422 e3686c RtlFreeHeap 10419->10422 10420->10419 10423 e3d47a 10421->10423 10424 e3686c RtlFreeHeap 10421->10424 10422->10421 10425 e3d488 10423->10425 10428 e3686c RtlFreeHeap 10423->10428 10424->10423 10426 e3d496 10425->10426 10429 e3686c RtlFreeHeap 10425->10429 10430 e3d4a4 10426->10430 10432 e3686c RtlFreeHeap 10426->10432 10427->10416 10442 e3d67c 10427->10442 10428->10425 10429->10426 10430->10136 10432->10430 10433 e3d08e 10433->10416 10446 e3d4b0 10433->10446 10435 e3d0a1 10435->10416 10450 e3d638 10435->10450 10438 e36de8 RtlAllocateHeap 10439 e3d0cc 10438->10439 10439->10416 10440 e36844 RtlAllocateHeap 10439->10440 10441 e3686c RtlFreeHeap 10439->10441 10440->10439 10441->10439 10443 e3d6a7 10442->10443 10444 e36844 RtlAllocateHeap 10443->10444 10445 e3d7a4 10444->10445 10445->10433 10447 e3d540 10446->10447 10448 e36844 RtlAllocateHeap 10447->10448 10449 e3d57e 10448->10449 10449->10435 10451 e3d657 10450->10451 10452 e36de8 RtlAllocateHeap 10451->10452 10453 e3d0b4 10452->10453 10453->10416 10453->10438 10455 e3c8e5 10454->10455 10456 e36844 RtlAllocateHeap 10455->10456 10458 e3c8f5 10456->10458 10457 e3c917 10457->10144 10458->10457 10459 e3686c RtlFreeHeap 10458->10459 10459->10457 10461 e36844 RtlAllocateHeap 10460->10461 10462 e4396b 10461->10462 10462->10157 10464 e36cbb 10463->10464 10465 e3686c RtlFreeHeap 10464->10465 10466 e36d24 10464->10466 10465->10466 10466->10171 10468 e36844 RtlAllocateHeap 10467->10468 10469 e418ce 10468->10469 10469->10198 10471 e36844 RtlAllocateHeap 10470->10471 10472 e41c4e 10471->10472 10472->10208 10508 e391c8 10473->10508 10475 e3962d 10476 e3963c 10475->10476 10525 e390bc 10475->10525 10479 e397d8 4 API calls 10478->10479 10480 e38fa0 10479->10480 10481 e39880 NtClose 10480->10481 10492 e39010 10480->10492 10482 e38fae 10481->10482 10484 e38fb7 NtSetInformationThread 10482->10484 10482->10492 10483 e39035 10486 e38fcb 10484->10486 10484->10492 10537 e38da8 10486->10537 10489 e39880 NtClose 10490 e38fee 10489->10490 10490->10492 10542 e38be0 10490->10542 10492->10483 10548 e38ecc 10492->10548 10494 e374b3 10493->10494 10495 e3748b 10493->10495 10495->10494 10496 e37494 GetDriveTypeW 10495->10496 10551 e374bc 10495->10551 10496->10495 10499 e37861 10498->10499 10501 e37e60 10500->10501 10502 e36844 RtlAllocateHeap 10501->10502 10503 e37e72 NtQuerySystemInformation 10501->10503 10504 e36894 RtlReAllocateHeap 10501->10504 10505 e3686c RtlFreeHeap 10501->10505 10506 e3686c RtlFreeHeap 10501->10506 10502->10501 10503->10501 10504->10501 10505->10501 10507 e37f40 Sleep 10506->10507 10507->10501 10509 e392a9 10508->10509 10510 e3946d RegCreateKeyExW 10509->10510 10511 e394c7 RegCreateKeyExW 10510->10511 10520 e394a1 RegEnumKeyW 10510->10520 10514 e395e2 10511->10514 10515 e395bc RegEnumKeyW 10511->10515 10514->10475 10515->10514 10519 e395e4 OpenEventLogW 10515->10519 10516 e394cc RegCreateKeyExW 10518 e394fa RegSetValueExW 10516->10518 10516->10520 10518->10520 10521 e3951c RegSetValueExW 10518->10521 10519->10515 10522 e395fc ClearEventLogW 10519->10522 10520->10511 10520->10516 10521->10520 10523 e3953a OpenEventLogW 10521->10523 10522->10515 10523->10520 10524 e39552 ClearEventLogW 10523->10524 10524->10520 10532 e3903c RtlAdjustPrivilege 10525->10532 10527 e39194 10528 e391b5 10527->10528 10529 e391ac CloseServiceHandle 10527->10529 10528->10476 10529->10528 10530 e390d5 10530->10527 10531 e3dc60 NtTerminateProcess 10530->10531 10531->10527 10533 e397d8 4 API calls 10532->10533 10534 e39074 10533->10534 10535 e39082 10534->10535 10536 e39880 NtClose 10534->10536 10535->10530 10536->10535 10538 e397d8 4 API calls 10537->10538 10539 e38dd3 10538->10539 10540 e38de0 OpenSCManagerW 10539->10540 10541 e38df9 10539->10541 10540->10541 10541->10489 10541->10492 10543 e38c11 10542->10543 10544 e38c4d 10543->10544 10546 e36844 RtlAllocateHeap 10543->10546 10545 e38d9c 10544->10545 10547 e3686c RtlFreeHeap 10544->10547 10545->10492 10546->10544 10547->10545 10549 e397d8 4 API calls 10548->10549 10550 e38ee5 10549->10550 10550->10483 10559 e37590 10551->10559 10553 e374d4 10554 e37506 FindFirstFileExW 10553->10554 10556 e37580 10553->10556 10554->10556 10557 e3752e 10554->10557 10555 e3756c FindNextFileW 10555->10556 10555->10557 10556->10495 10557->10555 10565 e3766c 10557->10565 10560 e375b0 FindFirstFileExW 10559->10560 10562 e37662 10560->10562 10563 e3760e FindClose 10560->10563 10562->10553 10563->10562 10566 e3768e 10565->10566 10567 e37822 10566->10567 10568 e36844 RtlAllocateHeap 10566->10568 10567->10555 10572 e376a6 10568->10572 10569 e377fd 10570 e37814 10569->10570 10571 e3686c RtlFreeHeap 10569->10571 10570->10567 10573 e3686c RtlFreeHeap 10570->10573 10571->10570 10572->10569 10574 e376de FindFirstFileExW 10572->10574 10573->10567 10574->10569 10579 e37706 10574->10579 10575 e377e5 FindNextFileW 10575->10569 10575->10579 10576 e36844 RtlAllocateHeap 10576->10579 10577 e37780 GetFileAttributesW 10577->10579 10579->10575 10579->10576 10579->10577 10580 e3766c 12 API calls 10579->10580 10581 e3686c RtlFreeHeap 10579->10581 10582 e36668 10579->10582 10580->10579 10581->10579 10583 e3667e 10582->10583 10583->10583 10584 e3a094 2 API calls 10583->10584 10585 e36695 10584->10585 10586 e366a5 CreateFileW 10585->10586 10587 e367a5 10585->10587 10586->10587 10591 e366cd 10586->10591 10589 e367d4 NtFreeVirtualMemory 10587->10589 10590 e367f9 10587->10590 10588 e366d2 NtAllocateVirtualMemory 10588->10591 10598 e36703 10588->10598 10589->10587 10592 e36808 10590->10592 10593 e367ff NtClose 10590->10593 10591->10588 10591->10598 10602 e36550 10592->10602 10593->10592 10596 e36763 WriteFile 10596->10598 10599 e3677d SetFilePointerEx 10596->10599 10597 e36821 10600 e36836 10597->10600 10601 e3686c RtlFreeHeap 10597->10601 10598->10587 10598->10596 10599->10596 10599->10598 10600->10579 10601->10600 10603 e36934 RtlAllocateHeap 10602->10603 10604 e3656a 10603->10604 10605 e36573 10604->10605 10606 e36934 RtlAllocateHeap 10604->10606 10607 e3661e DeleteFileW 10605->10607 10608 e3686c RtlFreeHeap 10605->10608 10609 e36582 10606->10609 10607->10597 10608->10607 10609->10605 10610 e365df MoveFileExW 10609->10610 10610->10605 10610->10609 10666 e3f59c 10611->10666 10614 e3f59c 2 API calls 10617 e40080 10614->10617 10615 e400d1 10616 e40313 10615->10616 10618 e3686c RtlFreeHeap 10615->10618 10619 e40321 10616->10619 10621 e3686c RtlFreeHeap 10616->10621 10620 e400a8 10617->10620 10622 e3f59c 2 API calls 10617->10622 10618->10616 10623 e4032f 10619->10623 10626 e3686c RtlFreeHeap 10619->10626 10620->10615 10624 e36844 RtlAllocateHeap 10620->10624 10621->10619 10622->10620 10623->9471 10625 e400c8 10624->10625 10625->10615 10627 e36844 RtlAllocateHeap 10625->10627 10626->10623 10628 e400e3 10627->10628 10628->10615 10629 e3e1e8 5 API calls 10628->10629 10638 e400f6 10629->10638 10630 e369e0 RtlAllocateHeap 10630->10638 10631 e4028d 10632 e3686c RtlFreeHeap 10631->10632 10633 e4029b 10631->10633 10632->10633 10633->10615 10634 e3e270 NtClose 10633->10634 10634->10615 10635 e3f6d8 NtSetInformationThread NtClose 10635->10638 10636 e3b3c0 2 API calls 10636->10638 10637 e3686c RtlFreeHeap 10637->10638 10638->10630 10638->10631 10638->10635 10638->10636 10638->10637 10640 e37433 10639->10640 10641 e36934 RtlAllocateHeap 10640->10641 10643 e37441 10641->10643 10642 e37464 10642->9855 10643->10642 10644 e3686c RtlFreeHeap 10643->10644 10644->10642 10646 e3a983 10645->10646 10647 e3a488 6 API calls 10646->10647 10649 e3a99a 10647->10649 10648 e3a9c9 10648->9855 10649->10648 10650 e36844 RtlAllocateHeap 10649->10650 10650->10648 10652 e3a3ff 10651->10652 10653 e3b3c0 2 API calls 10652->10653 10654 e3a419 10652->10654 10653->10654 10654->9839 10654->9853 10656 e36a8d 10655->10656 10657 e36844 RtlAllocateHeap 10656->10657 10658 e36aa3 10656->10658 10657->10658 10658->9854 10660 e3e1e8 5 API calls 10659->10660 10661 e40977 10660->10661 10663 e3b3c0 2 API calls 10661->10663 10665 e409c8 10661->10665 10662 e3e270 NtClose 10664 e409cc 10662->10664 10663->10665 10664->9814 10665->10662 10665->10664 10667 e3f5f6 10666->10667 10668 e3b3c0 2 API calls 10667->10668 10669 e3f610 10667->10669 10668->10669 10669->10614 10669->10620 10670->9882 10672 e40e8d 10671->10672 10673 e40e48 10671->10673 10672->9877 10677 e41400 10672->10677 10674 e3c8c4 2 API calls 10673->10674 10675 e40e4d 10674->10675 10675->10672 10676 e3686c RtlFreeHeap 10675->10676 10676->10672 10729 e41240 10677->10729 10679 e41441 10680 e36de8 RtlAllocateHeap 10679->10680 10682 e41445 10679->10682 10688 e41454 10680->10688 10681 e415e0 10684 e415ee 10681->10684 10685 e3686c RtlFreeHeap 10681->10685 10682->10681 10683 e3686c RtlFreeHeap 10682->10683 10683->10681 10686 e415fc 10684->10686 10689 e3686c RtlFreeHeap 10684->10689 10685->10684 10687 e4160a 10686->10687 10690 e3686c RtlFreeHeap 10686->10690 10687->9877 10706 e41760 10687->10706 10688->10682 10751 e41611 10688->10751 10689->10686 10690->10687 10693 e36de8 RtlAllocateHeap 10694 e4149b 10693->10694 10694->10682 10695 e41611 RtlFreeHeap 10694->10695 10696 e414d4 10695->10696 10697 e36de8 RtlAllocateHeap 10696->10697 10698 e414de 10697->10698 10698->10682 10699 e41611 RtlFreeHeap 10698->10699 10700 e41521 10699->10700 10701 e36de8 RtlAllocateHeap 10700->10701 10702 e4152b 10701->10702 10702->10682 10703 e41611 RtlFreeHeap 10702->10703 10704 e4156b 10703->10704 10705 e36de8 RtlAllocateHeap 10704->10705 10705->10682 10707 e36de8 RtlAllocateHeap 10706->10707 10711 e41791 10707->10711 10708 e41890 10710 e4189e 10708->10710 10712 e3686c RtlFreeHeap 10708->10712 10709 e3686c RtlFreeHeap 10709->10708 10710->9888 10713 e418b8 RtlAllocateHeap 10711->10713 10716 e4179a 10711->10716 10712->10710 10714 e417ce 10713->10714 10715 e36de8 RtlAllocateHeap 10714->10715 10714->10716 10717 e41809 10715->10717 10716->10708 10716->10709 10718 e3686c RtlFreeHeap 10717->10718 10718->10716 10720 e41190 10719->10720 10721 e36de8 RtlAllocateHeap 10720->10721 10728 e41195 10720->10728 10726 e411a1 10721->10726 10722 e41219 10724 e41227 10722->10724 10725 e3686c RtlFreeHeap 10722->10725 10723 e3686c RtlFreeHeap 10723->10722 10724->9891 10725->10724 10727 e36de8 RtlAllocateHeap 10726->10727 10726->10728 10727->10728 10728->10722 10728->10723 10730 e4126f 10729->10730 10733 e41282 10729->10733 10732 e36de8 RtlAllocateHeap 10730->10732 10730->10733 10731 e4130f 10731->10679 10734 e4128d 10732->10734 10733->10731 10755 e410cc 10733->10755 10734->10733 10735 e36de8 RtlAllocateHeap 10734->10735 10737 e412a5 10735->10737 10737->10733 10739 e412b4 10737->10739 10738 e41336 10740 e36934 RtlAllocateHeap 10738->10740 10741 e36de8 RtlAllocateHeap 10739->10741 10742 e41345 10740->10742 10743 e412bd 10741->10743 10742->10731 10744 e36934 RtlAllocateHeap 10742->10744 10743->10679 10745 e41377 10744->10745 10745->10731 10746 e413bd 10745->10746 10747 e3686c RtlFreeHeap 10745->10747 10748 e3686c RtlFreeHeap 10746->10748 10749 e413cb 10746->10749 10747->10746 10748->10749 10749->10731 10750 e3686c RtlFreeHeap 10749->10750 10750->10731 10752 e41617 10751->10752 10754 e41491 10751->10754 10753 e3686c RtlFreeHeap 10752->10753 10753->10754 10754->10693 10756 e36844 RtlAllocateHeap 10755->10756 10757 e410e2 10756->10757 10757->10738 10759 e41bef 10758->10759 10762 e41b50 10759->10762 10761 e41c07 10761->9897 10763 e36844 RtlAllocateHeap 10762->10763 10764 e41b67 10763->10764 10765 e41b9d 10764->10765 10766 e36894 RtlReAllocateHeap 10764->10766 10768 e41b80 10764->10768 10767 e3686c RtlFreeHeap 10765->10767 10766->10764 10767->10768 10768->10761 10769 e3686c RtlFreeHeap 10768->10769 10770 e41be0 10769->10770 10770->10761 10774 e464b6 10771->10774 10772 e465f0 10772->9910 10773 e3686c RtlFreeHeap 10773->10772 10788 e464ce 10774->10788 10823 e46124 10774->10823 10788->10772 10788->10773 10790 e43fa4 10789->10790 10793 e43fd5 10790->10793 11084 e43d98 10790->11084 10792 e44066 10792->9907 10795 e44508 10792->10795 10793->10792 10794 e3686c RtlFreeHeap 10793->10794 10794->10792 10796 e4452e 10795->10796 10814 e44532 10796->10814 11087 e42af8 10796->11087 10798 e44684 10801 e44692 10798->10801 10803 e3686c RtlFreeHeap 10798->10803 10800 e3686c RtlFreeHeap 10800->10798 10804 e446a0 10801->10804 10806 e3686c RtlFreeHeap 10801->10806 10802 e36844 RtlAllocateHeap 10805 e44553 10802->10805 10803->10801 10804->9917 10815 e446a8 10804->10815 10807 e39640 2 API calls 10805->10807 10805->10814 10806->10804 10808 e44566 10807->10808 10809 e3f82c RtlAllocateHeap 10808->10809 10810 e4457f 10809->10810 10811 e36844 RtlAllocateHeap 10810->10811 10810->10814 10812 e4459d 10811->10812 10813 e36844 RtlAllocateHeap 10812->10813 10812->10814 10813->10814 10814->10798 10814->10800 10816 e446b9 10815->10816 10817 e448ba 10816->10817 10818 e39640 2 API calls 10816->10818 10817->9917 10819 e446c7 10818->10819 10819->10817 10820 e36de8 RtlAllocateHeap 10819->10820 10822 e446e1 10820->10822 10821 e3686c RtlFreeHeap 10821->10817 10822->10817 10822->10821 11055 e460a8 10823->11055 10825 e4616c 10826 e46450 10825->10826 10827 e3686c RtlFreeHeap 10825->10827 10828 e4645e 10826->10828 10830 e3686c RtlFreeHeap 10826->10830 10827->10826 10831 e4646c 10828->10831 10832 e3686c RtlFreeHeap 10828->10832 10830->10828 10833 e4647a 10831->10833 10834 e3686c RtlFreeHeap 10831->10834 10832->10831 10835 e46488 10833->10835 10837 e3686c RtlFreeHeap 10833->10837 10834->10833 10835->10788 10846 e45d28 10835->10846 10836 e36844 RtlAllocateHeap 10838 e461a8 10836->10838 10837->10835 10838->10825 10839 e36844 RtlAllocateHeap 10838->10839 10840 e46249 10839->10840 10840->10825 10841 e36844 RtlAllocateHeap 10840->10841 10842 e46299 10841->10842 10842->10825 10843 e36844 RtlAllocateHeap 10842->10843 10844 e46344 10843->10844 10844->10825 10845 e3686c RtlFreeHeap 10844->10845 10845->10825 10847 e45d8f 10846->10847 10848 e36de8 RtlAllocateHeap 10847->10848 10849 e45da4 10847->10849 10854 e45e1b 10848->10854 10850 e4608f 10849->10850 10851 e3686c RtlFreeHeap 10849->10851 10852 e4609d 10850->10852 10853 e3686c RtlFreeHeap 10850->10853 10851->10850 10852->10788 10856 e44c60 10852->10856 10853->10852 10854->10849 10855 e36de8 RtlAllocateHeap 10854->10855 10855->10849 10857 e36844 RtlAllocateHeap 10856->10857 10859 e44c93 10857->10859 10858 e44e1b 10861 e44e29 10858->10861 10863 e3686c RtlFreeHeap 10858->10863 10862 e36844 RtlAllocateHeap 10859->10862 10868 e44c9c 10859->10868 10860 e3686c RtlFreeHeap 10860->10858 10864 e44e37 10861->10864 10865 e3686c RtlFreeHeap 10861->10865 10866 e44cc6 10862->10866 10863->10861 10864->10788 10869 e45a84 10864->10869 10865->10864 10867 e36844 RtlAllocateHeap 10866->10867 10866->10868 10867->10868 10868->10858 10868->10860 10870 e36844 RtlAllocateHeap 10869->10870 10873 e45add 10870->10873 10871 e45caa 10874 e3686c RtlFreeHeap 10871->10874 10875 e45cb8 10871->10875 10872 e3686c RtlFreeHeap 10872->10871 10906 e45ae6 10873->10906 11061 e4497c 10873->11061 10874->10875 10877 e3686c RtlFreeHeap 10875->10877 10879 e45cc6 10875->10879 10877->10879 10878 e45cd4 10881 e45ce2 10878->10881 10883 e3686c RtlFreeHeap 10878->10883 10879->10878 10880 e3686c RtlFreeHeap 10879->10880 10880->10878 10882 e45cf0 10881->10882 10884 e3686c RtlFreeHeap 10881->10884 10885 e45cfe 10882->10885 10886 e3686c RtlFreeHeap 10882->10886 10883->10881 10884->10882 10887 e45d0c 10885->10887 10889 e3686c RtlFreeHeap 10885->10889 10886->10885 10887->10788 10908 e457b4 10887->10908 10888 e45b0e 10888->10906 11064 e44a30 10888->11064 10889->10887 10891 e45b3a 10892 e3686c RtlFreeHeap 10891->10892 10891->10906 10893 e45b5c 10892->10893 10894 e44a30 RtlAllocateHeap 10893->10894 10895 e45b75 10894->10895 10895->10906 11067 e44aa8 10895->11067 10897 e45bbd 10897->10906 11070 e44c08 10897->11070 10900 e36844 RtlAllocateHeap 10901 e45bf2 10900->10901 10902 e36de8 RtlAllocateHeap 10901->10902 10901->10906 10903 e45c0a 10902->10903 10904 e36844 RtlAllocateHeap 10903->10904 10903->10906 10905 e45c33 10904->10905 10905->10906 10907 e3686c RtlFreeHeap 10905->10907 10906->10871 10906->10872 10907->10905 10909 e36844 RtlAllocateHeap 10908->10909 10910 e457fc 10909->10910 10911 e36844 RtlAllocateHeap 10910->10911 10932 e45805 10910->10932 10922 e45814 10911->10922 10912 e45a22 10914 e45a30 10912->10914 10915 e3686c RtlFreeHeap 10912->10915 10913 e3686c RtlFreeHeap 10913->10912 10916 e45a3e 10914->10916 10917 e3686c RtlFreeHeap 10914->10917 10915->10914 10918 e45a4c 10916->10918 10919 e3686c RtlFreeHeap 10916->10919 10917->10916 10920 e45a5a 10918->10920 10921 e3686c RtlFreeHeap 10918->10921 10919->10918 10920->10788 10933 e44e50 10920->10933 10921->10920 10923 e36844 RtlAllocateHeap 10922->10923 10922->10932 10924 e45943 10923->10924 10925 e36de8 RtlAllocateHeap 10924->10925 10924->10932 10926 e4595b 10925->10926 10927 e3686c RtlFreeHeap 10926->10927 10926->10932 10928 e459a4 10927->10928 10929 e36844 RtlAllocateHeap 10928->10929 10930 e459bd 10929->10930 10931 e36de8 RtlAllocateHeap 10930->10931 10930->10932 10931->10932 10932->10912 10932->10913 10934 e36844 RtlAllocateHeap 10933->10934 10938 e44e98 10934->10938 10935 e45065 10937 e45073 10935->10937 10939 e3686c RtlFreeHeap 10935->10939 10936 e3686c RtlFreeHeap 10936->10935 10940 e45081 10937->10940 10942 e3686c RtlFreeHeap 10937->10942 10941 e4497c RtlAllocateHeap 10938->10941 10969 e44ea1 10938->10969 10939->10937 10943 e4508f 10940->10943 10944 e3686c RtlFreeHeap 10940->10944 10952 e44ec9 10941->10952 10942->10940 10945 e4509d 10943->10945 10946 e3686c RtlFreeHeap 10943->10946 10944->10943 10947 e450ab 10945->10947 10948 e3686c RtlFreeHeap 10945->10948 10946->10945 10949 e450b9 10947->10949 10950 e3686c RtlFreeHeap 10947->10950 10948->10947 10951 e450c7 10949->10951 10953 e3686c RtlFreeHeap 10949->10953 10950->10949 10951->10788 10972 e450e0 10951->10972 10952->10969 11075 e44920 10952->11075 10953->10951 10955 e44ef5 10956 e3686c RtlFreeHeap 10955->10956 10955->10969 10957 e44f17 10956->10957 10958 e44920 RtlAllocateHeap 10957->10958 10959 e44f30 10958->10959 10960 e44aa8 RtlAllocateHeap 10959->10960 10959->10969 10961 e44f78 10960->10961 10962 e44c08 RtlAllocateHeap 10961->10962 10961->10969 10963 e44f8d 10962->10963 10964 e36844 RtlAllocateHeap 10963->10964 10963->10969 10965 e44fad 10964->10965 10966 e36de8 RtlAllocateHeap 10965->10966 10965->10969 10967 e44fc5 10966->10967 10968 e36844 RtlAllocateHeap 10967->10968 10967->10969 10970 e44fee 10968->10970 10969->10935 10969->10936 10970->10969 10971 e3686c RtlFreeHeap 10970->10971 10971->10970 10973 e36844 RtlAllocateHeap 10972->10973 10995 e45143 10973->10995 10974 e4514c 10975 e4571b 10974->10975 10976 e3686c RtlFreeHeap 10974->10976 10977 e45729 10975->10977 10978 e3686c RtlFreeHeap 10975->10978 10976->10975 10979 e45737 10977->10979 10980 e3686c RtlFreeHeap 10977->10980 10978->10977 10981 e45745 10979->10981 10982 e3686c RtlFreeHeap 10979->10982 10980->10979 10983 e45753 10981->10983 10984 e3686c RtlFreeHeap 10981->10984 10982->10981 10985 e45761 10983->10985 10986 e3686c RtlFreeHeap 10983->10986 10984->10983 10987 e4576f 10985->10987 10988 e3686c RtlFreeHeap 10985->10988 10986->10985 10989 e4577d 10987->10989 10991 e3686c RtlFreeHeap 10987->10991 10988->10987 10990 e4578b 10989->10990 10992 e3686c RtlFreeHeap 10989->10992 10993 e45799 10990->10993 10994 e3686c RtlFreeHeap 10990->10994 10991->10989 10992->10990 10993->10788 10994->10993 10995->10974 10996 e36844 RtlAllocateHeap 10995->10996 10997 e451ff 10996->10997 10997->10974 10998 e4497c RtlAllocateHeap 10997->10998 10999 e45230 10998->10999 10999->10974 11078 e448c4 10999->11078 11001 e4525c 11001->10974 11002 e3686c RtlFreeHeap 11001->11002 11003 e4527e 11002->11003 11004 e448c4 RtlAllocateHeap 11003->11004 11005 e45297 11004->11005 11005->10974 11006 e44aa8 RtlAllocateHeap 11005->11006 11007 e452df 11006->11007 11007->10974 11008 e44c08 RtlAllocateHeap 11007->11008 11009 e452f4 11008->11009 11009->10974 11010 e36844 RtlAllocateHeap 11009->11010 11011 e4533d 11010->11011 11011->10974 11012 e36de8 RtlAllocateHeap 11011->11012 11013 e45355 11012->11013 11013->10974 11014 e36844 RtlAllocateHeap 11013->11014 11015 e45381 11014->11015 11015->10974 11016 e3686c RtlFreeHeap 11015->11016 11017 e45427 11016->11017 11018 e45435 11017->11018 11019 e3686c RtlFreeHeap 11017->11019 11020 e4544a 11018->11020 11022 e3686c RtlFreeHeap 11018->11022 11019->11018 11021 e4545f 11020->11021 11023 e3686c RtlFreeHeap 11020->11023 11024 e45474 11021->11024 11025 e3686c RtlFreeHeap 11021->11025 11022->11020 11023->11021 11026 e45489 11024->11026 11027 e3686c RtlFreeHeap 11024->11027 11025->11024 11028 e4549e 11026->11028 11030 e3686c RtlFreeHeap 11026->11030 11027->11026 11029 e454b3 11028->11029 11031 e3686c RtlFreeHeap 11028->11031 11032 e454c8 11029->11032 11033 e3686c RtlFreeHeap 11029->11033 11030->11028 11031->11029 11034 e36844 RtlAllocateHeap 11032->11034 11033->11032 11035 e454ef 11034->11035 11035->10974 11036 e4497c RtlAllocateHeap 11035->11036 11037 e45520 11036->11037 11037->10974 11081 e449c0 11037->11081 11039 e4554c 11039->10974 11040 e3686c RtlFreeHeap 11039->11040 11041 e45579 11040->11041 11042 e449c0 RtlAllocateHeap 11041->11042 11043 e45587 11042->11043 11043->10974 11044 e44aa8 RtlAllocateHeap 11043->11044 11045 e455cf 11044->11045 11045->10974 11046 e44c08 RtlAllocateHeap 11045->11046 11047 e455e4 11046->11047 11047->10974 11048 e36844 RtlAllocateHeap 11047->11048 11049 e4565b 11048->11049 11049->10974 11050 e36de8 RtlAllocateHeap 11049->11050 11051 e45673 11050->11051 11051->10974 11052 e36844 RtlAllocateHeap 11051->11052 11053 e4569c 11052->11053 11053->10974 11054 e3686c RtlFreeHeap 11053->11054 11054->10974 11056 e460c8 11055->11056 11057 e46108 11056->11057 11058 e36934 RtlAllocateHeap 11056->11058 11057->10825 11057->10836 11059 e460f1 11058->11059 11059->11057 11060 e36934 RtlAllocateHeap 11059->11060 11060->11057 11062 e36844 RtlAllocateHeap 11061->11062 11063 e44985 11062->11063 11063->10888 11065 e36844 RtlAllocateHeap 11064->11065 11066 e44a3c 11065->11066 11066->10891 11068 e36844 RtlAllocateHeap 11067->11068 11069 e44ab8 11068->11069 11069->10897 11071 e36844 RtlAllocateHeap 11070->11071 11073 e44c27 11071->11073 11072 e36844 RtlAllocateHeap 11072->11073 11073->11072 11074 e44c54 11073->11074 11074->10900 11074->10906 11076 e36844 RtlAllocateHeap 11075->11076 11077 e4492c 11076->11077 11077->10955 11079 e36844 RtlAllocateHeap 11078->11079 11080 e448d0 11079->11080 11080->11001 11082 e36844 RtlAllocateHeap 11081->11082 11083 e449cc 11082->11083 11083->11039 11085 e36844 RtlAllocateHeap 11084->11085 11086 e43db2 11085->11086 11086->10793 11090 e42b21 11087->11090 11088 e42b25 11088->10802 11090->11088 11091 e42954 11090->11091 11092 e4297b 11091->11092 11093 e397d8 4 API calls 11092->11093 11094 e4298b 11093->11094 11095 e397d8 4 API calls 11094->11095 11096 e4299f 11094->11096 11095->11096 11096->11088 11102 e466b6 11097->11102 11098 e46ba4 11099 e46bb2 11098->11099 11101 e3686c RtlFreeHeap 11098->11101 11099->9925 11100 e3686c RtlFreeHeap 11100->11098 11101->11099 11103 e36de8 RtlAllocateHeap 11102->11103 11106 e46714 11102->11106 11104 e467ec 11103->11104 11105 e36844 RtlAllocateHeap 11104->11105 11104->11106 11105->11106 11106->11098 11106->11100 11108 e437a7 11107->11108 11109 e42af8 4 API calls 11108->11109 11124 e437ab 11108->11124 11111 e437c2 11109->11111 11110 e438e9 11113 e438f7 11110->11113 11115 e3686c RtlFreeHeap 11110->11115 11114 e36844 RtlAllocateHeap 11111->11114 11112 e3686c RtlFreeHeap 11112->11110 11116 e43905 11113->11116 11117 e3686c RtlFreeHeap 11113->11117 11118 e437cc 11114->11118 11115->11113 11116->9934 11117->11116 11119 e3f82c RtlAllocateHeap 11118->11119 11118->11124 11120 e437e4 11119->11120 11121 e36844 RtlAllocateHeap 11120->11121 11120->11124 11122 e43802 11121->11122 11123 e36844 RtlAllocateHeap 11122->11123 11122->11124 11123->11124 11124->11110 11124->11112 11126 e40350 11125->11126 11127 e36844 RtlAllocateHeap 11126->11127 11128 e40371 11127->11128 11128->9967 11381 e3ac68 11382 e3ac50 11381->11382 11383 e3ac83 11382->11383 11384 e36894 RtlReAllocateHeap 11382->11384 11388 e3ac66 11382->11388 11385 e3686c RtlFreeHeap 11383->11385 11384->11382 11385->11388 11386 e3686c RtlFreeHeap 11387 e3adb0 11386->11387 11388->11386 11603 e43168 11604 e4317f 11603->11604 11605 e42af8 4 API calls 11604->11605 11606 e431ce 11604->11606 11605->11606 11436 e3f032 11441 e3efe7 11436->11441 11437 e3f034 11438 e3686c RtlFreeHeap 11437->11438 11443 e3eff9 11438->11443 11439 e3686c RtlFreeHeap 11439->11441 11440 e3f14d 11442 e3686c RtlFreeHeap 11440->11442 11441->11437 11441->11439 11441->11443 11445 e3ece4 RtlAllocateHeap 11441->11445 11446 e3f155 11442->11446 11447 e3ed30 2 API calls 11443->11447 11451 e3f075 11443->11451 11444 e3686c RtlFreeHeap 11444->11440 11445->11441 11448 e3f08f 11447->11448 11449 e3f0ba 11448->11449 11448->11451 11452 e3f0dc 11448->11452 11450 e3686c RtlFreeHeap 11449->11450 11450->11451 11451->11440 11451->11444 11452->11451 11453 e3686c RtlFreeHeap 11452->11453 11453->11451 11467 e3ddf2 11469 e3ddde 11467->11469 11468 e3ddf0 11470 e3de3d 11468->11470 11471 e3686c RtlFreeHeap 11468->11471 11469->11468 11472 e3db90 NtTerminateProcess 11469->11472 11473 e3dc60 NtTerminateProcess 11469->11473 11471->11470 11472->11469 11473->11469 11129 e3f8f0 11131 e3f8d2 11129->11131 11130 e36844 RtlAllocateHeap 11130->11131 11131->11130 11133 e3f8ee 11131->11133 11132 e3fa12 11133->11132 11134 e36844 RtlAllocateHeap 11133->11134 11134->11133 11454 e3e430 11455 e3e3c5 11454->11455 11456 e3e40b 11455->11456 11457 e3de48 4 API calls 11455->11457 11457->11455 11389 e44070 11395 e440b4 11389->11395 11390 e444e2 11393 e444f0 11390->11393 11394 e3686c RtlFreeHeap 11390->11394 11391 e440d2 11391->11390 11392 e3686c RtlFreeHeap 11391->11392 11392->11390 11396 e444fe 11393->11396 11397 e3686c RtlFreeHeap 11393->11397 11394->11393 11395->11391 11398 e36de8 RtlAllocateHeap 11395->11398 11397->11396 11399 e44186 11398->11399 11399->11391 11400 e36844 RtlAllocateHeap 11399->11400 11400->11391 11187 e3d88a 11188 e3d88c 11187->11188 11207 e3cd04 11188->11207 11191 e3cedc RtlAllocateHeap 11193 e3d8cb 11191->11193 11192 e3d9cc 11195 e3d9da 11192->11195 11196 e3686c RtlFreeHeap 11192->11196 11201 e36de8 RtlAllocateHeap 11193->11201 11202 e3d8c1 11193->11202 11194 e3686c RtlFreeHeap 11194->11192 11198 e3d9e8 11195->11198 11199 e3686c RtlFreeHeap 11195->11199 11196->11195 11197 e3d9f6 11198->11197 11200 e3686c RtlFreeHeap 11198->11200 11199->11198 11200->11197 11203 e3d921 11201->11203 11202->11192 11202->11194 11203->11202 11204 e36844 RtlAllocateHeap 11203->11204 11205 e3d974 11204->11205 11205->11202 11206 e3cfcc 2 API calls 11205->11206 11206->11202 11208 e36de8 RtlAllocateHeap 11207->11208 11209 e3cd56 11208->11209 11241 e3cd5f 11209->11241 11242 e3c658 11209->11242 11212 e3ce70 11213 e3ce7e 11212->11213 11216 e3686c RtlFreeHeap 11212->11216 11217 e3ce8c 11213->11217 11219 e3686c RtlFreeHeap 11213->11219 11215 e3686c RtlFreeHeap 11215->11212 11216->11213 11220 e3ce9a 11217->11220 11222 e3686c RtlFreeHeap 11217->11222 11219->11217 11223 e3cea8 11220->11223 11225 e3686c RtlFreeHeap 11220->11225 11221 e3c8c4 2 API calls 11224 e3cd79 11221->11224 11222->11220 11227 e3ceb6 11223->11227 11229 e3686c RtlFreeHeap 11223->11229 11277 e3c928 11224->11277 11225->11223 11230 e3cec4 11227->11230 11231 e3686c RtlFreeHeap 11227->11231 11228 e3cd81 11282 e3cb20 11228->11282 11229->11227 11232 e3ced2 11230->11232 11233 e3686c RtlFreeHeap 11230->11233 11231->11230 11232->11191 11232->11202 11233->11232 11237 e3cd99 11238 e36844 RtlAllocateHeap 11237->11238 11239 e3ce19 11238->11239 11240 e36894 RtlReAllocateHeap 11239->11240 11239->11241 11240->11241 11241->11212 11241->11215 11243 e3a488 6 API calls 11242->11243 11244 e3c68c 11243->11244 11245 e36844 RtlAllocateHeap 11244->11245 11267 e3c692 11244->11267 11246 e3c6a4 11245->11246 11252 e3a488 6 API calls 11246->11252 11246->11267 11247 e3c832 11248 e3c840 11247->11248 11250 e3686c RtlFreeHeap 11247->11250 11251 e3c84e 11248->11251 11253 e3686c RtlFreeHeap 11248->11253 11249 e3686c RtlFreeHeap 11249->11247 11250->11248 11268 e3c858 11251->11268 11254 e3c6c1 11252->11254 11253->11251 11255 e36de8 RtlAllocateHeap 11254->11255 11254->11267 11256 e3c6d6 11255->11256 11257 e36de8 RtlAllocateHeap 11256->11257 11256->11267 11258 e3c6ee 11257->11258 11259 e36844 RtlAllocateHeap 11258->11259 11258->11267 11260 e3c71f 11259->11260 11261 e36844 RtlAllocateHeap 11260->11261 11260->11267 11262 e3c748 11261->11262 11263 e3a1c0 6 API calls 11262->11263 11265 e3c7ff 11262->11265 11262->11267 11289 e3a54c 11262->11289 11263->11262 11266 e36894 RtlReAllocateHeap 11265->11266 11266->11267 11267->11247 11267->11249 11293 e3a108 11268->11293 11271 e36844 RtlAllocateHeap 11272 e3c88d 11271->11272 11273 e3a108 2 API calls 11272->11273 11276 e3c8b4 11272->11276 11274 e3c8a8 11273->11274 11275 e3686c RtlFreeHeap 11274->11275 11274->11276 11275->11276 11276->11221 11278 e36c98 RtlFreeHeap 11277->11278 11280 e3c951 11278->11280 11279 e36844 RtlAllocateHeap 11281 e3c955 11279->11281 11280->11279 11280->11281 11281->11228 11283 e3cbdb 11282->11283 11284 e36844 RtlAllocateHeap 11283->11284 11285 e3cc88 11283->11285 11284->11285 11286 e3ccb4 11285->11286 11287 e36844 RtlAllocateHeap 11286->11287 11288 e3ccc6 11287->11288 11288->11237 11290 e3a58f 11289->11290 11291 e3b3c0 2 API calls 11290->11291 11292 e3a5a9 11290->11292 11291->11292 11292->11262 11294 e3a13f 11293->11294 11295 e3b3c0 2 API calls 11294->11295 11296 e3a159 11294->11296 11295->11296 11296->11271 11297 e37e8a 11303 e37e60 11297->11303 11298 e37e72 NtQuerySystemInformation 11298->11303 11299 e36894 RtlReAllocateHeap 11299->11303 11300 e3686c RtlFreeHeap 11300->11303 11301 e3686c RtlFreeHeap 11302 e37f40 Sleep 11301->11302 11302->11303 11303->11298 11303->11299 11303->11300 11303->11301 11304 e36844 RtlAllocateHeap 11303->11304 11304->11303 11474 e3ddca 11476 e3dd81 11474->11476 11475 e3ddf0 11477 e3de3d 11475->11477 11478 e3686c RtlFreeHeap 11475->11478 11479 e36894 RtlReAllocateHeap 11476->11479 11480 e3dd9d 11476->11480 11478->11477 11479->11476 11480->11475 11481 e3db90 NtTerminateProcess 11480->11481 11482 e3dc60 NtTerminateProcess 11480->11482 11481->11480 11482->11480 11145 e3b6c8 11146 e3b715 11145->11146 11147 e3b71a 11146->11147 11148 e3b71c RtlAdjustPrivilege 11146->11148 11148->11146 11148->11147 11149 e396cd 11150 e396af 11149->11150 11151 e39735 11150->11151 11152 e3686c RtlFreeHeap 11150->11152 11152->11151 11305 e3d88c 11306 e3cd04 13 API calls 11305->11306 11307 e3d8b8 11306->11307 11308 e3d8c1 11307->11308 11309 e3cedc RtlAllocateHeap 11307->11309 11310 e3d9cc 11308->11310 11311 e3686c RtlFreeHeap 11308->11311 11315 e3d8cb 11309->11315 11312 e3d9da 11310->11312 11313 e3686c RtlFreeHeap 11310->11313 11311->11310 11314 e3d9e8 11312->11314 11317 e3686c RtlFreeHeap 11312->11317 11313->11312 11316 e3d9f6 11314->11316 11318 e3686c RtlFreeHeap 11314->11318 11315->11308 11319 e36de8 RtlAllocateHeap 11315->11319 11317->11314 11318->11316 11320 e3d921 11319->11320 11320->11308 11321 e36844 RtlAllocateHeap 11320->11321 11322 e3d974 11321->11322 11322->11308 11323 e3cfcc 2 API calls 11322->11323 11323->11308 11458 e39811 11460 e39813 11458->11460 11459 e397f9 NtQuerySystemInformation 11459->11460 11464 e3980f 11459->11464 11460->11459 11461 e3982c 11460->11461 11462 e36894 RtlReAllocateHeap 11460->11462 11463 e3686c RtlFreeHeap 11461->11463 11462->11460 11463->11464 11465 e3686c RtlFreeHeap 11464->11465 11466 e39872 11465->11466 11607 e47556 11617 e4752b 11607->11617 11608 e47624 11610 e4205c 13 API calls 11608->11610 11609 e47631 11611 e47646 11609->11611 11612 e47637 11609->11612 11615 e4762c 11610->11615 11613 e47656 11611->11613 11614 e4764c 11611->11614 11616 e39bb0 14 API calls 11612->11616 11619 e47675 11613->11619 11620 e4765c 11613->11620 11618 e473ac 16 API calls 11614->11618 11621 e4763c 11616->11621 11617->11608 11617->11609 11618->11615 11623 e47685 11619->11623 11624 e4767b 11619->11624 11622 e46fa0 4 API calls 11620->11622 11625 e41ef4 105 API calls 11621->11625 11628 e47661 11622->11628 11626 e476d8 11623->11626 11627 e4768b 11623->11627 11629 e4390c 4 API calls 11624->11629 11625->11615 11631 e476e7 11626->11631 11632 e476de 11626->11632 11630 e476ba 11627->11630 11636 e46da8 2 API calls 11627->11636 11633 e46bbc 2 API calls 11628->11633 11629->11615 11630->11615 11637 e404b4 14 API calls 11630->11637 11635 e3a338 2 API calls 11631->11635 11634 e46bbc 2 API calls 11632->11634 11633->11615 11634->11615 11638 e476f8 11635->11638 11636->11630 11637->11615 11639 e4771c 11638->11639 11640 e3a338 2 API calls 11638->11640 11641 e42428 9 API calls 11639->11641 11642 e4770b 11640->11642 11641->11615 11642->11639 11643 e47710 11642->11643 11644 e39bb0 14 API calls 11643->11644 11645 e47715 11644->11645 11646 e47034 105 API calls 11645->11646 11646->11615 11571 e3df94 11574 e3de8f 11571->11574 11572 e3dee2 11573 e3686c RtlFreeHeap 11573->11574 11574->11572 11574->11573 11153 e3fedb 11164 e3fd52 11153->11164 11154 e3686c RtlFreeHeap 11154->11164 11155 e369e0 RtlAllocateHeap 11155->11164 11156 e3ff71 11157 e3ffdb 11156->11157 11159 e3686c RtlFreeHeap 11156->11159 11158 e3ffe9 11157->11158 11160 e3686c RtlFreeHeap 11157->11160 11161 e3fff7 11158->11161 11162 e3686c RtlFreeHeap 11158->11162 11159->11157 11160->11158 11162->11161 11163 e3f59c NtSetInformationThread NtClose 11163->11164 11164->11154 11164->11155 11164->11156 11164->11163 11165 e3f6d8 NtSetInformationThread NtClose 11164->11165 11166 e3b3c0 2 API calls 11164->11166 11165->11164 11166->11164

                                      Executed Functions

                                      Function 00E404B4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 342COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 9 e404b4-e40569 call e3164c call e36de8 18 e40570-e40589 call e36844 9->18 19 e4056b 9->19 27 e40590-e405a3 call e48c34 18->27 28 e4058b 18->28 20 e408e9-e408f0 19->20 23 e408f2 20->23 24 e408fe-e40905 20->24 23->24 25 e40907 24->25 26 e40913-e40917 24->26 25->26 29 e40922-e40926 26->29 30 e40919 26->30 35 e405a5 27->35 36 e405aa-e405ba call e40338 27->36 28->20 33 e40930-e40934 29->33 34 e40928-e4092b call e3686c 29->34 30->29 38 e40936-e40939 call e3686c 33->38 39 e4093e-e40942 33->39 34->33 35->20 49 e405c1-e40612 GetTempFileNameW CreateFileW 36->49 50 e405bc 36->50 38->39 42 e40944-e40947 call e3686c 39->42 43 e4094c-e40950 39->43 42->43 44 e40952-e40955 call e3686c 43->44 45 e4095a-e40960 43->45 44->45 52 e40614 49->52 53 e40619-e4062e WriteFile 49->53 50->20 52->20 54 e40635-e4064e 53->54 55 e40630 53->55 57 e40650-e40655 54->57 55->20 58 e40657-e40698 CreateProcessW 57->58 59 e40659-e4065b 57->59 61 e4069f-e406bc NtQueryInformationProcess 58->61 62 e4069a 58->62 59->57 63 e406c3-e406e3 NtReadVirtualMemory 61->63 64 e406be 61->64 62->20 65 e406e5 63->65 66 e406ea-e406fb call e36de8 63->66 64->20 65->20 69 e40702-e4077d call e492f4 call e49348 call e4941c NtProtectVirtualMemory 66->69 70 e406fd 66->70 77 e40784-e40797 NtWriteVirtualMemory 69->77 78 e4077f 69->78 70->20 79 e4079e-e407fa 77->79 80 e40799 77->80 78->20 82 e40801-e40822 NtDuplicateObject 79->82 83 e407fc 79->83 80->20 84 e40824 82->84 85 e40829-e40891 CreateNamedPipeW 82->85 83->20 84->20 86 e40895-e408ae ResumeThread ConnectNamedPipe 85->86 87 e40893 85->87 88 e408b0-e408bb 86->88 89 e408bf-e408dc 86->89 87->20 88->89 90 e408bd 88->90 92 e408e0 89->92 93 e408de 89->93 90->20 92->20 93->20
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: D
                                      • API String ID: 0-2746444292
                                      • Opcode ID: a35c51abfe6a9392cbd64eb95a086d98648e9b4c365dd3cb05105ccb56592bf6
                                      • Instruction ID: 39d36ac80b642b90ad2268c0d7225b8ae0cb5d9adadf7f804c45223f85a7016c
                                      • Opcode Fuzzy Hash: a35c51abfe6a9392cbd64eb95a086d98648e9b4c365dd3cb05105ccb56592bf6
                                      • Instruction Fuzzy Hash: D3E13E71900318EFEF209F91EC49BEEBBB9FB08305F1054A5E209B61A1D7755A88DF91
                                      Function 00E391C8 Relevance: 16.7, APIs: 11, Instructions: 241registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 94 e391c8-e3949b call e31240 * 5 RegCreateKeyExW 105 e394a1 94->105 106 e3957d-e39581 94->106 107 e394a8-e394c5 RegEnumKeyW 105->107 108 e39583 106->108 109 e3958c-e395ba RegCreateKeyExW 106->109 112 e394c7 107->112 113 e394cc-e394f8 RegCreateKeyExW 107->113 108->109 110 e39615-e39619 109->110 111 e395bc 109->111 117 e39624-e39627 110->117 118 e3961b 110->118 114 e395c3-e395e0 RegEnumKeyW 111->114 112->106 115 e39575-e39578 113->115 116 e394fa-e3951a RegSetValueExW 113->116 119 e395e2 114->119 120 e395e4-e395fa OpenEventLogW 114->120 115->107 121 e39566-e3956a 116->121 122 e3951c-e39538 RegSetValueExW 116->122 118->117 119->110 123 e39610-e39613 120->123 124 e395fc-e39607 ClearEventLogW 120->124 121->115 126 e3956c 121->126 122->121 125 e3953a-e39550 OpenEventLogW 122->125 123->114 124->123 125->121 127 e39552-e3955d ClearEventLogW 125->127 126->115 127->121
                                      APIs
                                      • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000,?,00000007,?,00000004,?,00000019,?), ref: 00E39493
                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 00E394BA
                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 00E394F0
                                      • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000004,00000000,00000004), ref: 00E39512
                                      • RegSetValueExW.KERNELBASE(00000000,?,00000000,00000001,?,00000064), ref: 00E39530
                                      • OpenEventLogW.ADVAPI32(00000000,?), ref: 00E39543
                                      • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 00E39557
                                      • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,0002011F,00000000,00000000,00000000), ref: 00E395B2
                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000104), ref: 00E395D5
                                      • OpenEventLogW.ADVAPI32(00000000,?), ref: 00E395ED
                                      • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 00E39601
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$Create$ClearEnumOpenValue
                                      • String ID:
                                      • API String ID: 1260815474-0
                                      • Opcode ID: b55a37a447f63a9186732d2efbe9839dad513af3fef04c846cf3e83405f6616e
                                      • Instruction ID: 285f40a9d95d038d761c61e3c9594a4ad96382e2ea399109f22a5522cefd0118
                                      • Opcode Fuzzy Hash: b55a37a447f63a9186732d2efbe9839dad513af3fef04c846cf3e83405f6616e
                                      • Instruction Fuzzy Hash: B1C105B8800306EFDB248F51D849B997F78FF04744F529088E6156F2B2D7BA9A84CF56
                                      Function 00E36668 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 161filenativememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 128 e36668-e3667b 129 e3667e-e36683 128->129 129->129 130 e36685-e36699 call e3a094 129->130 133 e366a5-e366c7 CreateFileW 130->133 134 e3669b-e3669f 130->134 135 e367ca-e367cc 133->135 136 e366cd-e366cf 133->136 134->133 134->135 137 e367cf-e367d2 135->137 138 e366d2-e366fb NtAllocateVirtualMemory 136->138 139 e367f3-e367f7 137->139 140 e367d4-e367ed NtFreeVirtualMemory 137->140 141 e36703 138->141 142 e366fd-e36708 138->142 139->137 143 e367f9-e367fd 139->143 140->139 145 e36733-e36738 141->145 149 e3671b-e3671e 142->149 150 e3670a-e36719 142->150 147 e36808-e3681f call e36550 DeleteFileW 143->147 148 e367ff-e36802 NtClose 143->148 146 e3673b-e36746 145->146 151 e36754 146->151 152 e36748-e36752 146->152 160 e36821 147->160 161 e36828-e3682c 147->161 148->147 154 e3672d-e36731 149->154 155 e36720-e36728 call e36628 149->155 150->154 157 e36759-e36760 151->157 152->157 154->138 154->145 155->154 159 e36763-e36779 WriteFile 157->159 162 e3677b 159->162 163 e3677d-e3679a SetFilePointerEx 159->163 160->161 164 e36836-e3683f 161->164 165 e3682e-e36831 call e3686c 161->165 166 e3679c-e367a3 162->166 163->159 163->166 165->164 168 e367a7-e367c5 166->168 169 e367a5 166->169 168->146 169->135
                                      APIs
                                      • CreateFileW.KERNELBASE(00E377D6,40000000,00000003,00000000,00000003,80000000,00000000,00E377D6,?,?,00000000,?), ref: 00E366BA
                                      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004,?,00000000,?), ref: 00E366F3
                                      • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000,?,00000000,?), ref: 00E36771
                                      • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001,?,00000000,?), ref: 00E3678D
                                      • NtFreeVirtualMemory.NTDLL(000000FF,?,00010000,00008000,?,00000000,?), ref: 00E367ED
                                      • NtClose.NTDLL(000000FF,?,00000000,?), ref: 00E36802
                                      • DeleteFileW.KERNELBASE(?,000000FF,?,?,00000000,?), ref: 00E36817
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$MemoryVirtual$AllocateCloseCreateDeleteFreePointerWrite
                                      • String ID: lu
                                      • API String ID: 3569053182-2989676324
                                      • Opcode ID: 8bb73fa3e2083958302f6fb6272cb7af77ff9b997cf656d4f8b704e48b9c7aa1
                                      • Instruction ID: 673f807c767598239bfd41ada7075bdd0a90045da4eb4afbdb4cac0157d063c0
                                      • Opcode Fuzzy Hash: 8bb73fa3e2083958302f6fb6272cb7af77ff9b997cf656d4f8b704e48b9c7aa1
                                      • Instruction Fuzzy Hash: 77514D71900209BFDF11CFA4CC49BEEBBB9EB08769F205626F611B6090D3B55A89CB51
                                      Function 00E3A68C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 171 e3a68c-e3a70c GetVolumeNameForVolumeMountPointW FindFirstVolumeW 175 e3a712-e3a718 171->175 176 e3a950-e3a955 171->176 177 e3a91f-e3a941 175->177 178 e3a71e-e3a725 175->178 177->175 185 e3a947 177->185 178->177 179 e3a72b-e3a742 GetVolumePathNamesForVolumeNameW 178->179 179->177 180 e3a748-e3a74c 179->180 180->177 182 e3a752-e3a756 180->182 182->177 184 e3a75c-e3a766 GetDriveTypeW 182->184 186 e3a771-e3a779 call e31564 184->186 187 e3a768-e3a76b 184->187 185->176 190 e3a7f7-e3a81d call e316f0 CreateFileW 186->190 191 e3a77b-e3a7c3 186->191 187->177 187->186 195 e3a823-e3a849 DeviceIoControl 190->195 196 e3a916 190->196 199 e3a7e3-e3a7e7 191->199 200 e3a7c5-e3a7de call e3a600 191->200 195->196 197 e3a84f-e3a856 195->197 196->177 201 e3a858-e3a864 197->201 202 e3a8bc-e3a8c3 197->202 203 e3a7f2 199->203 204 e3a7e9 199->204 200->199 206 e3a883-e3a889 201->206 207 e3a866-e3a86d 201->207 202->196 205 e3a8c5-e3a8cc 202->205 203->177 204->203 205->196 211 e3a8ce-e3a8d5 205->211 209 e3a88b-e3a892 206->209 210 e3a8a8-e3a8b5 call e316c0 call e3a600 206->210 207->206 212 e3a86f-e3a876 207->212 209->210 215 e3a894-e3a89b 209->215 223 e3a8ba 210->223 211->196 217 e3a8d7-e3a8f1 call e316c0 211->217 212->206 213 e3a878-e3a87f 212->213 213->206 219 e3a881 213->219 215->210 220 e3a89d-e3a8a4 215->220 227 e3a8f3-e3a8fa 217->227 228 e3a90a-e3a911 call e3a600 217->228 219->223 220->210 224 e3a8a6 220->224 223->196 224->223 229 e3a908 227->229 230 e3a8fc-e3a903 call e3a600 227->230 228->196 229->196 230->229
                                      APIs
                                      • GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000104), ref: 00E3A6D6
                                      • FindFirstVolumeW.KERNELBASE(?,00000104), ref: 00E3A6FF
                                      • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,00000040,00000000), ref: 00E3A73A
                                      • GetDriveTypeW.KERNELBASE(?), ref: 00E3A75D
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?), ref: 00E3A810
                                      • DeviceIoControl.KERNELBASE(000000FF,00070048,00000000,00000000,?,00000090,00000001,00000000), ref: 00E3A841
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$Name$ControlCreateDeviceDriveFileFindFirstMountNamesPathPointType
                                      • String ID: '
                                      • API String ID: 754975672-1997036262
                                      • Opcode ID: e8b78ce8ddbc6f6adc61d1139db9de1b6f26bb41cbd9cab3fba98e4bb3439937
                                      • Instruction ID: 6c5ea095d16626da029d8c36eca4f9f4c014b8b7a28a7663e804923ce85d1dbc
                                      • Opcode Fuzzy Hash: e8b78ce8ddbc6f6adc61d1139db9de1b6f26bb41cbd9cab3fba98e4bb3439937
                                      • Instruction Fuzzy Hash: 4471A031800B14EFDB349B50DC0DB9A7FB8EF0131AF1994A6E285B60A1D7745AC9CF66
                                      Function 00E47034 Relevance: 10.7, APIs: 7, Instructions: 248threadnativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 233 e47034-e47053 KiUserCallbackDispatcher 234 e47111-e47118 233->234 235 e47059-e47060 233->235 238 e47145-e4717c CreateThread * 2 234->238 239 e4711a-e47133 CreateThread 234->239 236 e47062-e47088 call e36ae8 235->236 237 e4708b-e47092 235->237 236->237 242 e47094-e4709b 237->242 243 e470ce-e470d5 237->243 240 e47183-e4718a 238->240 241 e4717e call e37ca4 238->241 239->238 244 e47135-e4713e 239->244 247 e471a4-e471ab 240->247 248 e4718c-e471a1 CreateThread 240->248 241->240 242->243 250 e4709d-e470c7 call e39c64 242->250 243->234 246 e470d7-e470de 243->246 244->238 246->234 253 e470e0-e4710a call e39c64 246->253 254 e471b6-e471dd call e3b734 call e3e1e8 247->254 255 e471ad-e471b4 247->255 248->247 250->243 253->234 281 e47221-e47225 254->281 282 e471df-e471e6 254->282 255->254 258 e4722e-e47232 255->258 260 e47234-e4723f 258->260 261 e47248-e4724c 258->261 260->261 267 e47262-e47269 261->267 268 e4724e-e47259 261->268 270 e4727f-e47286 267->270 271 e4726b-e47276 NtTerminateThread 267->271 268->267 275 e472b3-e472bd 270->275 276 e47288-e472a1 CreateThread 270->276 271->270 287 e47392-e473a0 call e41934 call e41d28 call e416ac 275->287 288 e472c3-e472ca 275->288 276->275 280 e472a3-e472ac 276->280 280->275 281->258 284 e47201-e47208 282->284 285 e471e8-e471fc call e3a68c call e3e2b8 call e40a38 call e3e2b8 call e40be4 282->285 291 e47214-e4721c call e3e270 call e3e2b8 284->291 292 e4720a-e4720f call e3e2b8 call e3fc88 284->292 285->284 323 e473a5-e473a9 287->323 293 e472f7-e472fe 288->293 294 e472cc-e472e5 288->294 291->281 292->291 298 e47300-e47304 293->298 299 e47339-e47340 call e3b674 293->299 294->293 310 e472e7-e472f0 294->310 306 e47306-e47311 298->306 307 e4731a-e47334 call e36ae8 call e3da00 298->307 315 e47342-e47347 call e38960 299->315 316 e47349-e4734b call e38230 299->316 306->307 307->299 310->293 328 e47350-e47357 315->328 316->328 332 e47359-e47360 328->332 333 e4736b-e4738b call e39640 call e404b4 328->333 332->333 335 e47362-e47369 332->335 338 e47390 333->338 335->333 335->338 338->323
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(00000043,00000000), ref: 00E4704B
                                      • CreateThread.KERNELBASE(00000000,00000000,00E38F68,00000000,00000000,00000000), ref: 00E47129
                                      • CreateThread.KERNELBASE(00000000,00000000,00E37468,00000000,00000000,00000000), ref: 00E47154
                                      • CreateThread.KERNELBASE(00000000,00000000,00E3782C,00000000,00000000,00000000), ref: 00E4716C
                                      • CreateThread.KERNELBASE(00000000,00000000,00E37E58,00000000,00000000,00000000), ref: 00E4719B
                                      • NtTerminateThread.NTDLL(?,00000000), ref: 00E47270
                                      • CreateThread.KERNELBASE(00000000,00000000,00E39628,00000000,00000000,00000000), ref: 00E47297
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$Create$CallbackDispatcherTerminateUser
                                      • String ID:
                                      • API String ID: 1743520491-0
                                      • Opcode ID: ec6c1148c4a870193a99eb81acba6b9ef4899c9f028cc0d4004301b01a5d3d8e
                                      • Instruction ID: 2c2fced1f066b682f6a2b06a57c6e8224e0989bf567eea97f2b8cdbd2d5364d6
                                      • Opcode Fuzzy Hash: ec6c1148c4a870193a99eb81acba6b9ef4899c9f028cc0d4004301b01a5d3d8e
                                      • Instruction Fuzzy Hash: 0B91F772549F00BFEB296BB2ED1EB6D3EA5AB04707F142910F691741F2DBB41888CB54
                                      Function 00E3C28C Relevance: 9.1, APIs: 6, Instructions: 134filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 341 e3c28c-e3c2b7 CreateFileW 342 e3c3ed-e3c3f3 341->342 343 e3c2bd-e3c2d6 341->343 344 e3c2dc-e3c2ee call e317ac 343->344 347 e3c2f5-e3c318 WriteFile 344->347 348 e3c31a-e3c329 347->348 349 e3c32c-e3c351 WriteFile 347->349 350 e3c353-e3c362 NtClose 349->350 351 e3c365-e3c388 WriteFile 349->351 352 e3c38a-e3c399 351->352 353 e3c39c-e3c3c1 WriteFile 351->353 355 e3c3c3-e3c3d2 353->355 356 e3c3d5-e3c3e2 353->356 356->347 358 e3c3e8 356->358 358->344
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 00E3C2AA
                                      • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,00E56000,?,?,?,00000000), ref: 00E3C30B
                                      • WriteFile.KERNELBASE(000000FF,?,00000001,00000000,00000000,?,?,00000000), ref: 00E3C344
                                      • NtClose.NTDLL(000000FF,?,?,00000000), ref: 00E3C356
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$CloseCreate
                                      • String ID:
                                      • API String ID: 237505210-0
                                      • Opcode ID: 54c059818e20c67a2dd88885f1007b8234ab28915faf0188d94fbcdbad943d36
                                      • Instruction ID: 4a27dae4809be8bd1143e3e58760f0bda8c860d82424c5e3b8dd74253dd02ad7
                                      • Opcode Fuzzy Hash: 54c059818e20c67a2dd88885f1007b8234ab28915faf0188d94fbcdbad943d36
                                      • Instruction Fuzzy Hash: 3B414E32A0060CFFDB00DBD5EC49BEEFBBAEB54312F6041A6E604B2191E3715A54DB91
                                      Function 00E3F308 Relevance: 7.7, APIs: 5, Instructions: 175filethreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 360 e3f308-e3f31f GetFileAttributesW 361 e3f321-e3f32d call e3bbf4 360->361 362 e3f37f-e3f391 SetThreadPriority call e31564 360->362 367 e3f371-e3f37c call e3686c 361->367 368 e3f32f-e3f33d call e3a094 361->368 369 e3f393-e3f39a 362->369 370 e3f39c 362->370 368->367 377 e3f33f-e3f343 368->377 373 e3f3a3-e3f3b6 call e36844 369->373 370->373 379 e3f3bd-e3f3fd call e3c19c call e3f164 call e3686c FindFirstFileExW 373->379 380 e3f345-e3f349 377->380 381 e3f34b-e3f36e call e3c19c call e37290 call e3ef6c 377->381 394 e3f403-e3f411 379->394 395 e3f535-e3f54a call e3686c 379->395 380->367 380->381 401 e3f416-e3f41f 394->401 399 e3f54e-e3f562 395->399 400 e3f54c-e3f56a call e3686c 395->400 399->379 409 e3f56f-e3f572 400->409 403 e3f421-e3f427 401->403 404 e3f429 401->404 403->404 406 e3f42e-e3f438 403->406 407 e3f514-e3f526 FindNextFileW 404->407 410 e3f43a 406->410 411 e3f43f-e3f446 406->411 407->401 408 e3f52c-e3f52f FindClose 407->408 408->395 410->407 412 e3f453-e3f457 411->412 413 e3f448-e3f44c 411->413 415 e3f481-e3f489 call e3f21c 412->415 416 e3f459-e3f461 call e3f2b4 412->416 413->412 414 e3f44e 413->414 414->407 423 e3f490-e3f497 415->423 424 e3f48b 415->424 421 e3f463-e3f47a call e3f1c8 416->421 422 e3f47c 416->422 421->422 422->407 426 e3f4a4-e3f4ae call e3bbf4 423->426 427 e3f499-e3f4a0 423->427 424->407 432 e3f4b2-e3f4dc call e3f1c8 call e37290 call e3ef6c 426->432 433 e3f4b0 426->433 427->426 428 e3f4a2 427->428 428->407 432->407 440 e3f4de-e3f4e0 432->440 433->407 441 e3f4e2-e3f507 440->441 442 e3f509 440->442 441->407 442->407
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?), ref: 00E3F314
                                      • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00E3F383
                                      • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000,?,?,?,00E55180,003D0900), ref: 00E3F3F0
                                      • FindNextFileW.KERNELBASE(000000FF,?), ref: 00E3F51E
                                      • FindClose.KERNELBASE(000000FF), ref: 00E3F52F
                                        • Part of subcall function 00E3A094: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00E3A0B6
                                        • Part of subcall function 00E3A094: FindClose.KERNELBASE(000000FF), ref: 00E3A0DC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirst$AttributesNextPriorityThread
                                      • String ID:
                                      • API String ID: 3755735135-0
                                      • Opcode ID: f5d935f2277756d884ffce555523075e74ac0fecdf4406a18164f12a24730f55
                                      • Instruction ID: b81091ea611aaabf3dff3af82b6b4891b2a5d348e81430bb3b4911e025e041f2
                                      • Opcode Fuzzy Hash: f5d935f2277756d884ffce555523075e74ac0fecdf4406a18164f12a24730f55
                                      • Instruction Fuzzy Hash: 32617531C00609EEDF21AF60DC4DBAEBFB5AF0530AF1060B1E914B61A2D7319E95DB91
                                      Function 00E3766C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 444 e3766c-e37693 446 e37822-e37827 444->446 447 e37699-e376ad call e36844 444->447 450 e376b3-e37700 call e316c0 FindFirstFileExW 447->450 451 e37806-e3780a 447->451 450->451 461 e37706-e3770f 450->461 452 e37814-e37818 451->452 453 e3780c-e3780f call e3686c 451->453 452->446 455 e3781a-e3781d call e3686c 452->455 453->452 455->446 462 e377e5-e377f7 FindNextFileW 461->462 463 e37715-e3771b 461->463 462->461 465 e377fd 462->465 463->462 464 e37721-e3774f call e36844 463->464 464->462 470 e37755-e37791 GetFileAttributesW 464->470 465->451 474 e37793-e3779e 470->474 475 e377ce-e377d1 call e36668 470->475 480 e377a2-e377ad 474->480 481 e377a0 474->481 477 e377d6-e377de call e3686c 475->477 477->462 483 e377b9 480->483 484 e377af-e377bb call e3766c 480->484 482 e377bd-e377cc call e3686c 481->482 482->462 483->482 484->474
                                      APIs
                                        • Part of subcall function 00E36844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00E47764,?,00000000,00000000), ref: 00E36860
                                      • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00E376F3
                                      • GetFileAttributesW.KERNELBASE(00000000), ref: 00E37786
                                      • FindNextFileW.KERNELBASE(000000FF,?), ref: 00E377EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AllocateAttributesFirstHeapNext
                                      • String ID: lu
                                      • API String ID: 2400493143-2989676324
                                      • Opcode ID: 7d8e3dac07aa70ad731802f353e39f8699c4fbaa95ad301fb168581a5c59dfea
                                      • Instruction ID: 66fbf48183a26d1266a4620c45c8f6530e54a448ecaf7d36b508cd4a412b7998
                                      • Opcode Fuzzy Hash: 7d8e3dac07aa70ad731802f353e39f8699c4fbaa95ad301fb168581a5c59dfea
                                      • Instruction Fuzzy Hash: 1B4148B1804218EFDF259FA1DC4DBAEBFB5BF0030AF005461E422B10A0E7761A68DB51
                                      Function 00E35C24 Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 491 e35c24-e35c35 492 e35c37-e35c51 call e35aec 491->492 493 e35c56-e35c5d 491->493 492->493 495 e35c5f-e35c79 call e35aec 493->495 496 e35c7e-e35c85 493->496 495->496 499 e35c87-e35ca1 call e35aec 496->499 500 e35ca6-e35cad call e31658 496->500 499->500 505 e35cb2-e35cb6 500->505 506 e35cb8-e35ce2 call e31240 505->506 507 e35cdd-e35ce0 505->507 511 e35ce9-e35d04 FindFirstFileW 506->511 507->505 512 e35d06-e35d17 call e311c4 511->512 513 e35d54-e35d58 511->513 523 e35d37-e35d49 FindNextFileW 512->523 524 e35d19-e35d2b FindClose call e35a20 512->524 514 e35d5a-e35d9c 513->514 515 e35d5c-e35d66 513->515 518 e35d8b-e35d8e 515->518 519 e35d68-e35d6d 515->519 518->511 521 e35d86-e35d89 519->521 522 e35d6f-e35d84 call e31240 519->522 521->519 522->518 523->512 525 e35d4b-e35d4e FindClose 523->525 529 e35d30-e35d34 524->529 525->513
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00E35CF7
                                      • FindClose.KERNELBASE(000000FF,?,00000000), ref: 00E35D1C
                                      • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00E35D41
                                      • FindClose.KERNELBASE(000000FF), ref: 00E35D4E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID:
                                      • API String ID: 1164774033-0
                                      • Opcode ID: ac7c54aa83469005f31caed5ae5467f36bee2c8a8ff5481aca9f646387d60ca3
                                      • Instruction ID: 4bef78125e326b6015052732bf2b5343fc8ce05641806924a8f848a55be61d3d
                                      • Opcode Fuzzy Hash: ac7c54aa83469005f31caed5ae5467f36bee2c8a8ff5481aca9f646387d60ca3
                                      • Instruction Fuzzy Hash: 56416D72800B08DECB209F61DD9D7A9BFB8AB00306FA0A5A5E416BE271D7354DC9DB51
                                      Function 00E3B3C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43nativethreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 530 e3b3c0-e3b3cd 531 e3b3d2-e3b417 530->531 532 e3b3cf-e3b3d0 530->532 533 e3b438-e3b43e 531->533 535 e3b419-e3b42c NtSetInformationThread 531->535 532->533 536 e3b42f-e3b432 NtClose 535->536 537 e3b42e 535->537 536->533 537->536
                                      APIs
                                      • NtSetInformationThread.NTDLL(000000FE,00000005,00000008,00000004), ref: 00E3B424
                                      • NtClose.NTDLL(00000008), ref: 00E3B432
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseInformationThread
                                      • String ID: V2
                                      • API String ID: 3167811113-1600132999
                                      • Opcode ID: f40c42bcd12c7f2bfa029e21ce136b9f036d90dda0374133ad286a77979ebe34
                                      • Instruction ID: d686b7488ea2e35e624acaac025ec05fc74014b737f158792c4670104c3e0c01
                                      • Opcode Fuzzy Hash: f40c42bcd12c7f2bfa029e21ce136b9f036d90dda0374133ad286a77979ebe34
                                      • Instruction Fuzzy Hash: 5E014471500308EFE710CF50DC9DFAABBB8FB00309F548165EA15AB1A1E7B59A58DB90
                                      Function 00E3B734 Relevance: 4.5, APIs: 3, Instructions: 31nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 593 e3b734-e3b740 call e368c0 596 e3b742-e3b77f NtSetInformationProcess * 3 call e368ec 593->596 597 e3b784-e3b785 593->597 596->597
                                      APIs
                                      • NtSetInformationProcess.NTDLL(000000FF,00000021,00000000,00000004,00000004,00000000,00E471D1), ref: 00E3B751
                                      • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002), ref: 00E3B763
                                      • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004), ref: 00E3B778
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationProcess
                                      • String ID:
                                      • API String ID: 1801817001-0
                                      • Opcode ID: 21c5e42605db5767eefba22fff8641914131c525dbe046743f6b5a492186c78b
                                      • Instruction ID: 2631fab6f93a5acc07f4d5fdfeb8c4003a25ec076115e326ead7e127fb3e885b
                                      • Opcode Fuzzy Hash: 21c5e42605db5767eefba22fff8641914131c525dbe046743f6b5a492186c78b
                                      • Instruction Fuzzy Hash: 5EF01CB1240710BFEB21AB94DCCAF213B9C9B0A726F100760B332ED0D6D7B08448C752
                                      Function 00E3B470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,9870B143), ref: 00E3B4B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-3916222277
                                      • Opcode ID: 2859326a2a152f4fbdeb43afa2793c7a9f313515e90249fba9da833848fbf964
                                      • Instruction ID: 5b68e8517e1941a359e4243b8effd6f7c3cb397f54739762b0306748f09f9ed0
                                      • Opcode Fuzzy Hash: 2859326a2a152f4fbdeb43afa2793c7a9f313515e90249fba9da833848fbf964
                                      • Instruction Fuzzy Hash: 1AF09A71900308BBDB10CFA4CC88B9EBBBCAB04329F604294A62AB71C1E7755B048B64
                                      Function 00E3E270 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(?,00E40A30,00000000), ref: 00E3E2A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID: 0
                                      • API String ID: 3535843008-2089633060
                                      • Opcode ID: 1965301002f605d6d5fb29de8543e05b44161c86c519b9866dfb0c7e31ac16ca
                                      • Instruction ID: b126df000daa555a6dcad42429128d9bc0642ed1e334a4940a5d9cb6e80ea479
                                      • Opcode Fuzzy Hash: 1965301002f605d6d5fb29de8543e05b44161c86c519b9866dfb0c7e31ac16ca
                                      • Instruction Fuzzy Hash: 68E04F33240B04EFDB2C6B86ECA9F263B68F710717F900934F601711F08BB16888D614
                                      Function 00E37E58 Relevance: 3.1, APIs: 2, Instructions: 73sleepnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E36844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00E47764,?,00000000,00000000), ref: 00E36860
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E37E7E
                                      • Sleep.KERNELBASE(000007D0,?), ref: 00E37F45
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapInformationQuerySleepSystem
                                      • String ID:
                                      • API String ID: 3184523392-0
                                      • Opcode ID: 1c2598a9347debbecbe85217ff9d75c65f4a1626fd3d2b389b69ec71873a6b42
                                      • Instruction ID: d1fa016b8e7b1607162d970c430269a9dcbfa4ef5bd14b0299952eaa0c7e9fe6
                                      • Opcode Fuzzy Hash: 1c2598a9347debbecbe85217ff9d75c65f4a1626fd3d2b389b69ec71873a6b42
                                      • Instruction Fuzzy Hash: 59212BB1904208AFDF159FA1DC48BDEBFB8FF04309F209099E915BA161D7729A45DF90
                                      Function 00E38F66 Relevance: 3.1, APIs: 2, Instructions: 70nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00E38F8A
                                        • Part of subcall function 00E397D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                        • Part of subcall function 00E39880: NtClose.NTDLL(00000000), ref: 00E39971
                                      • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,D1F935A5), ref: 00E38FC1
                                        • Part of subcall function 00E38DA8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00E38DE6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                      • String ID:
                                      • API String ID: 1903255304-0
                                      • Opcode ID: 0ac2d0cb841dc7a4d4b74d8add43c5f894205f21313a6ec87a8694b5fef352e6
                                      • Instruction ID: b5c8562adcfd57a1c60a46158faa031dadc670d0332ba151b60273d39459165a
                                      • Opcode Fuzzy Hash: 0ac2d0cb841dc7a4d4b74d8add43c5f894205f21313a6ec87a8694b5fef352e6
                                      • Instruction Fuzzy Hash: 75218170900309BEEB24ABA0CC4EB9E7EB8AF04706F505554B511B61D6EBB48A84DB60
                                      Function 00E38F68 Relevance: 3.1, APIs: 2, Instructions: 69nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00E38F8A
                                        • Part of subcall function 00E397D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                        • Part of subcall function 00E39880: NtClose.NTDLL(00000000), ref: 00E39971
                                      • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004,00000000,00000002,00000002,D1F935A5), ref: 00E38FC1
                                        • Part of subcall function 00E38DA8: OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00E38DE6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Information$AdjustCloseManagerOpenPrivilegeQuerySystemThread
                                      • String ID:
                                      • API String ID: 1903255304-0
                                      • Opcode ID: f51e182d140e220db048669475e2457361484f9e82d5df24a441449b9e2402fc
                                      • Instruction ID: fe30829a94b8e449e9890def249b4d9c875e17a5b930017f19deb6cb847553b1
                                      • Opcode Fuzzy Hash: f51e182d140e220db048669475e2457361484f9e82d5df24a441449b9e2402fc
                                      • Instruction Fuzzy Hash: 9C219370900309BEEF24ABA0CC4EBDE7EB8AF04706F505554F511B61D6EBF48A84DB60
                                      Function 00E374BC Relevance: 3.1, APIs: 2, Instructions: 60fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E37590: FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00E375FF
                                        • Part of subcall function 00E37590: FindClose.KERNELBASE(000000FF), ref: 00E3765C
                                      • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00E3751F
                                      • FindNextFileW.KERNELBASE(000000FF,?), ref: 00E37576
                                        • Part of subcall function 00E3766C: FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00E376F3
                                        • Part of subcall function 00E3766C: GetFileAttributesW.KERNELBASE(00000000), ref: 00E37786
                                        • Part of subcall function 00E3766C: FindNextFileW.KERNELBASE(000000FF,?), ref: 00E377EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$First$Next$AttributesClose
                                      • String ID:
                                      • API String ID: 95010735-0
                                      • Opcode ID: 89cbf69890bb954700df121bf386672a9de9d784992faf042f1a4d602483cc64
                                      • Instruction ID: 1bc9b99bbff93753d01d45bdd6cc9e25e8071eee0d377ca61aba6e49ed017ac7
                                      • Opcode Fuzzy Hash: 89cbf69890bb954700df121bf386672a9de9d784992faf042f1a4d602483cc64
                                      • Instruction Fuzzy Hash: 5B211FB194030DAFDB24EB90DD4DFD97BBCAB14306F4004A1A519E6151E7319B58CF61
                                      Function 00E37590 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00E375FF
                                      • FindClose.KERNELBASE(000000FF), ref: 00E3765C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 96c7ffb22c3f1826fe0dcadd563a45dc3fca2f32ce21549d9666edc4cc70a19e
                                      • Instruction ID: 6e4f6a8899267e791d94561ec620501bbe295b921809e8a0d4442e72d82c17a4
                                      • Opcode Fuzzy Hash: 96c7ffb22c3f1826fe0dcadd563a45dc3fca2f32ce21549d9666edc4cc70a19e
                                      • Instruction Fuzzy Hash: 22216FB1804208EFDB10DF94DC1DBACBFB9FF0430AF0045A0E949AA161E7719A98CF55
                                      Function 00E37EA3 Relevance: 3.1, APIs: 2, Instructions: 56sleepnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E37E7E
                                      • Sleep.KERNELBASE(000007D0,?), ref: 00E37F45
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQuerySleepSystem
                                      • String ID:
                                      • API String ID: 3518162127-0
                                      • Opcode ID: cde3c16c0fa6d332446c3e7efd09aadc5ce4521726dc7ba9ecb9233e6570da88
                                      • Instruction ID: db86bbab45e0f14b8f0e7cb2a798a0cf7e92eda35cb32e8ef1a232e29bf069e4
                                      • Opcode Fuzzy Hash: cde3c16c0fa6d332446c3e7efd09aadc5ce4521726dc7ba9ecb9233e6570da88
                                      • Instruction Fuzzy Hash: 0D2138B1908208EFDF159FA1C848BDDBFB8FF04309F209099E911BA151D7729A49DFA0
                                      Function 00E37E8A Relevance: 3.1, APIs: 2, Instructions: 56sleepnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E37E7E
                                      • Sleep.KERNELBASE(000007D0,?), ref: 00E37F45
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQuerySleepSystem
                                      • String ID:
                                      • API String ID: 3518162127-0
                                      • Opcode ID: 6f5b9272d07a4fbd00568204361b11e80d82190619a9b9071920b533e4f77c97
                                      • Instruction ID: db86bbab45e0f14b8f0e7cb2a798a0cf7e92eda35cb32e8ef1a232e29bf069e4
                                      • Opcode Fuzzy Hash: 6f5b9272d07a4fbd00568204361b11e80d82190619a9b9071920b533e4f77c97
                                      • Instruction Fuzzy Hash: 0D2138B1908208EFDF159FA1C848BDDBFB8FF04309F209099E911BA151D7729A49DFA0
                                      Function 00E3E1E8 Relevance: 3.0, APIs: 2, Instructions: 46nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,00E3DE78,00000000,00000000,00000000,?,00000000), ref: 00E3E239
                                        • Part of subcall function 00E3B444: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00E36541,00000000,00E5586C,00E36390,00000000,00000000,00E55858,00E36378,00000000,00000000,00E5584C), ref: 00E3B465
                                      • NtClose.NTDLL(00000000,00000000,?,00000000), ref: 00E3E24C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$CloseCreateInformation
                                      • String ID:
                                      • API String ID: 3895992022-0
                                      • Opcode ID: a147bc9b9e780af5492e7979cde745fc7a0f541447b0e4ed25e82165d74f82b3
                                      • Instruction ID: 2f691184dd61b3bb230224f6c89be460b1897cb2ffa6d7d495bf1cf103b21913
                                      • Opcode Fuzzy Hash: a147bc9b9e780af5492e7979cde745fc7a0f541447b0e4ed25e82165d74f82b3
                                      • Instruction Fuzzy Hash: 7701DB71740B14EFE3146B55AC9DB9E7B68EB04717F200620FA15B62E1FBB06D08C555
                                      Function 00E37468 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalDriveStringsW.KERNELBASE(00000104,?), ref: 00E3747F
                                      • GetDriveTypeW.KERNELBASE(?), ref: 00E37495
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Drive$LogicalStringsType
                                      • String ID:
                                      • API String ID: 1630765265-0
                                      • Opcode ID: 22a4e79358547f4969cd9f53a1cf9fa06c0a78a4127d9d0ddf7d820cfddc94fc
                                      • Instruction ID: 4d08ee3b972cc5f4c926deb3d46e61bcbc85817eb528f9dd6621a8048bfcc583
                                      • Opcode Fuzzy Hash: 22a4e79358547f4969cd9f53a1cf9fa06c0a78a4127d9d0ddf7d820cfddc94fc
                                      • Instruction Fuzzy Hash: 85E0E5B25047295BDB30A6D5ACCD9AB7FACCB05305F000551EAE4F2001DA54BD86C6A1
                                      Function 00E3A094 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileExW.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00E3A0B6
                                      • FindClose.KERNELBASE(000000FF), ref: 00E3A0DC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 86b832bcf4539643bbcbc0b94480008e347f068146a90b3603a8900bc2d8f83e
                                      • Instruction ID: 8434b660c75265a775f1a58879fc14a019dc183520c36eb6048bfc38ae55d26f
                                      • Opcode Fuzzy Hash: 86b832bcf4539643bbcbc0b94480008e347f068146a90b3603a8900bc2d8f83e
                                      • Instruction Fuzzy Hash: DEF01774901308EFDB20DF94CC49B9CBBB5EB44311F2082A5A818BB2A0E7716A95DF44
                                      Function 00E39880 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: de3800c88866cfc453de861961333396c5090c0cc5d113f0c03b9ff6e4fb856f
                                      • Instruction ID: 683890479e4d8fef97339b8ffa96f7e634be1ac83e84c9f1aa2d809d51b1f5ce
                                      • Opcode Fuzzy Hash: de3800c88866cfc453de861961333396c5090c0cc5d113f0c03b9ff6e4fb856f
                                      • Instruction Fuzzy Hash: C531BA7180020CEFEB00CF95D858BEEBFB8FB04319F608159E415BA291D7B69A49DF91
                                      Function 00E397D8 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E36844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00E47764,?,00000000,00000000), ref: 00E36860
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapInformationQuerySystem
                                      • String ID:
                                      • API String ID: 3114120137-0
                                      • Opcode ID: 0317eb6b4cac5e71a72151c9cedfb21c85fa580347fc59dc1161d6124a0ad33e
                                      • Instruction ID: 5e71478000540e2e3e9874433cd0e35ca9a7539c5eadb7a42f6fa5a2043e3d16
                                      • Opcode Fuzzy Hash: 0317eb6b4cac5e71a72151c9cedfb21c85fa580347fc59dc1161d6124a0ad33e
                                      • Instruction Fuzzy Hash: 19114C71D00108FBDF15DF95E888ADDBFB8EF09314F2091A6EA10BA152D7B25E50EB90
                                      Function 00E35A20 Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 00E35A71
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: b8bfdb84bc30eb144f26ccddaa494ec7355207d1e7f568fd30d191c6c5cf991f
                                      • Instruction ID: fa59566867674f9257d6c22509814c994d0846b8bc0519c2cb4e9b415ee59218
                                      • Opcode Fuzzy Hash: b8bfdb84bc30eb144f26ccddaa494ec7355207d1e7f568fd30d191c6c5cf991f
                                      • Instruction Fuzzy Hash: CCF03C7690060DFECF10EE95D849FDEBBBCEB04315F4041A2A919B7140D230AB48DBA0
                                      Function 00E3DC60 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtTerminateProcess.NTDLL(00E37DB8,00000000), ref: 00E3DCC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessTerminate
                                      • String ID:
                                      • API String ID: 560597551-0
                                      • Opcode ID: 5c546e13e335710fecd5e17cdf5ee51e4ef78d911c4c11ac1e4a5422fd046606
                                      • Instruction ID: 2e12c784e1c78b48bc49c635421aea74fede798357d9975329b1964a2f92f339
                                      • Opcode Fuzzy Hash: 5c546e13e335710fecd5e17cdf5ee51e4ef78d911c4c11ac1e4a5422fd046606
                                      • Instruction Fuzzy Hash: 0801D6B1900208EFDB00CF90D858BDEBBB8FB04319F608598E515AB291D7B6964ACF91
                                      Function 00E3B674 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationToken.NTDLL(?,00000001,?,0000002C,?), ref: 00E3B69E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQueryToken
                                      • String ID:
                                      • API String ID: 4239771691-0
                                      • Opcode ID: 80956c2e673b3b15b0e00d6be5f3106fb3093d3ed3bd59c2b4913d8ff7fb3619
                                      • Instruction ID: 5e1ea6c2b89d9c6f5965b00a20479c656d9a2a8a0269c15b071edf44db9107ea
                                      • Opcode Fuzzy Hash: 80956c2e673b3b15b0e00d6be5f3106fb3093d3ed3bd59c2b4913d8ff7fb3619
                                      • Instruction Fuzzy Hash: 10F03032601208AFEB10DB95DC8AEADB77DFB05316FA00165FA15E31A1E761AE54C740
                                      Function 00E3982A Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQuerySystem
                                      • String ID:
                                      • API String ID: 3562636166-0
                                      • Opcode ID: 339e427abddcde8953cc2bda5f1bd7022b5f23bfa59b20e5a6b3ffb8d5004887
                                      • Instruction ID: fad662da8984e1f1a3f19a61f270f1416095bcf5dea0635b86b5d70a07287df8
                                      • Opcode Fuzzy Hash: 339e427abddcde8953cc2bda5f1bd7022b5f23bfa59b20e5a6b3ffb8d5004887
                                      • Instruction Fuzzy Hash: 98F03A35A04108EBDF18DF85E8C8BECBFB8EF55301F206092EA01BA152C3B19A50EB51
                                      Function 00E39811 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQuerySystem
                                      • String ID:
                                      • API String ID: 3562636166-0
                                      • Opcode ID: 886839de9aa8d051fcf1a214eb2e7b73df0884fe0d64b005ae90baaade60665b
                                      • Instruction ID: fad662da8984e1f1a3f19a61f270f1416095bcf5dea0635b86b5d70a07287df8
                                      • Opcode Fuzzy Hash: 886839de9aa8d051fcf1a214eb2e7b73df0884fe0d64b005ae90baaade60665b
                                      • Instruction Fuzzy Hash: 98F03A35A04108EBDF18DF85E8C8BECBFB8EF55301F206092EA01BA152C3B19A50EB51
                                      Function 00E3B444 Relevance: 1.5, APIs: 1, Instructions: 18nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00E36541,00000000,00E5586C,00E36390,00000000,00000000,00E55858,00E36378,00000000,00000000,00E5584C), ref: 00E3B465
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationThread
                                      • String ID:
                                      • API String ID: 4046476035-0
                                      • Opcode ID: 4f421c128634b50946269ce10ab067516353721e44d0a5aaadb22ff1c68be5fa
                                      • Instruction ID: 98a0379330f9e0d1c0a2c52b16c7ae022015de199f01db4bce3b7b0fc5f1b116
                                      • Opcode Fuzzy Hash: 4f421c128634b50946269ce10ab067516353721e44d0a5aaadb22ff1c68be5fa
                                      • Instruction Fuzzy Hash: 6FD05E325A020CAED7109B54DC19BF6376CD311306F108525B22796091E7B0A494C668
                                      Function 00E4946F Relevance: 47.5, APIs: 31, Instructions: 1045windowlibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryTextWindow$CreateDialogFreeLoad$BrushColorCommandErrorLastLineMenuPixelProc$ButtonCapsCheckedCountDeviceExitHeapImageItemMessageNamePaletteParamProcessSelectSolidTick
                                      • String ID:
                                      • API String ID: 2067994032-0
                                      • Opcode ID: 9c0ddc8a8b60755441a21cf38d71766e80c7c328b096946ca212235a9aced584
                                      • Instruction ID: 785a20300514e45a49463733c8bdf5eda9d0a60d555386348de8d7c7e3bbdd6a
                                      • Opcode Fuzzy Hash: 9c0ddc8a8b60755441a21cf38d71766e80c7c328b096946ca212235a9aced584
                                      • Instruction Fuzzy Hash: E301A424C5B501A9C1413BF0BF1BB6C69ECAFB2310F2A38A8F298360E34F204400C5B3
                                      Function 00E3C19C Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 538 e3c19c-e3c1b1 539 e3c1b3 538->539 540 e3c1b8-e3c1c9 call e36934 538->540 541 e3c283-e3c287 539->541 544 e3c1d0-e3c1de GetFileAttributesW 540->544 545 e3c1cb 540->545 546 e3c1e0-e3c1fa call e316c0 544->546 547 e3c1fc-e3c21c call e316c0 544->547 545->541 554 e3c21f-e3c223 546->554 547->554 556 e3c225-e3c23c call e3c28c call e3686c 554->556 557 e3c23e-e3c244 554->557 556->541 558 e3c246-e3c249 call e3c28c 557->558 559 e3c255-e3c260 GetFileAttributesW 557->559 566 e3c24e-e3c253 558->566 562 e3c262-e3c26c call e3686c 559->562 563 e3c26e-e3c27e CopyFileW call e3686c 559->563 562->558 563->541 566->541
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e0acd0a67e333654cf5afeffc4232bb45731aec9006d0ee2a38237ed5f38c054
                                      • Instruction ID: 959f6bc497b94e27888d71a429bfb53ff3a515f7e44436255c021c526f19acda
                                      • Opcode Fuzzy Hash: e0acd0a67e333654cf5afeffc4232bb45731aec9006d0ee2a38237ed5f38c054
                                      • Instruction Fuzzy Hash: 7221C531804A08FFDF12ABA5DE4ABAD7FB2AB05315F2061A0E51575171C7724A64FB05
                                      Function 00E3A488 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 571 e3a488-e3a4c6 CreateThread 572 e3a524-e3a52a 571->572 573 e3a4c8-e3a4cc 571->573 574 e3a4fa-e3a51b ResumeThread GetExitCodeThread 573->574 575 e3a4ce-e3a4d4 call e3b3c0 573->575 574->572 578 e3a4d9-e3a4db 575->578 578->574 579 e3a4dd-e3a4f7 578->579
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,00E3A470,?,00000004,00000000), ref: 00E3A4B9
                                      • ResumeThread.KERNELBASE(00000000), ref: 00E3A4FD
                                      • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 00E3A515
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$CodeCreateExitResume
                                      • String ID:
                                      • API String ID: 4070214711-0
                                      • Opcode ID: a61f7be2ba02928362106e4f3e3ec8974e0db9219a62dd5388ed0d14152f4a40
                                      • Instruction ID: 48023c0f1a1993a90aa9e3480c8f6338bf1c5a17f49a13c537df9cb43a5868ba
                                      • Opcode Fuzzy Hash: a61f7be2ba02928362106e4f3e3ec8974e0db9219a62dd5388ed0d14152f4a40
                                      • Instruction Fuzzy Hash: C3111331900208FFDB10DF94DD09BADBBB5FB04316F2085A5F925B22A0E7715A94EB40
                                      Function 00E3A1C0 Relevance: 4.5, APIs: 3, Instructions: 46threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 582 e3a1c0-e3a1f1 CreateThread 583 e3a1f3-e3a1f7 582->583 584 e3a24f-e3a255 582->584 585 e3a225-e3a246 ResumeThread GetExitCodeThread 583->585 586 e3a1f9-e3a1ff call e3b3c0 583->586 585->584 589 e3a204-e3a206 586->589 589->585 590 e3a208-e3a222 589->590
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,00E3A1B0,?,00000004,00000000), ref: 00E3A1E4
                                      • ResumeThread.KERNELBASE(00000000), ref: 00E3A228
                                      • GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 00E3A240
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$CodeCreateExitResume
                                      • String ID:
                                      • API String ID: 4070214711-0
                                      • Opcode ID: e04660be6a0d7739fda1a919af34aeb32f3ea4dd196497218f811ebaecd83a55
                                      • Instruction ID: 17ba9691cdec068384d95909381fd428bcdd4f7693be300b8a7949a1beea9d70
                                      • Opcode Fuzzy Hash: e04660be6a0d7739fda1a919af34aeb32f3ea4dd196497218f811ebaecd83a55
                                      • Instruction Fuzzy Hash: DB11E532900208FFDB119F90ED0AB9DBF72EB04316F2041A4FA55761B0E7725A94EB41
                                      Function 00E3782C Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 295COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00E37853
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Initialize
                                      • String ID: @
                                      • API String ID: 2538663250-2766056989
                                      • Opcode ID: da1a07618f3ed0c0f2ae62866f1efade5c9bf3cb4ecfd12665e5de5744303ee4
                                      • Instruction ID: bcef198b4b943153521844205d06aec2dde9b832475b152e6d8248c486eb68fa
                                      • Opcode Fuzzy Hash: da1a07618f3ed0c0f2ae62866f1efade5c9bf3cb4ecfd12665e5de5744303ee4
                                      • Instruction Fuzzy Hash: FCD1F8B490030AEFDB20CF90C888F9ABB79BF04704F159195E514AF2A2D779DA84CF65
                                      Function 00E3DE78 Relevance: 1.8, APIs: 1, Instructions: 256threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadPriority.KERNELBASE(000000FE,00000002), ref: 00E3DE89
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PriorityThread
                                      • String ID:
                                      • API String ID: 2383925036-0
                                      • Opcode ID: 8db42910836fa6d09aad73157c49db624d5642c374b625f023890a13378f30d9
                                      • Instruction ID: 0cc1aa3374f77d883c442fcefc405af68c7ff335f6acff25032c99ce05d36908
                                      • Opcode Fuzzy Hash: 8db42910836fa6d09aad73157c49db624d5642c374b625f023890a13378f30d9
                                      • Instruction Fuzzy Hash: 39A18B72504604EFDF258F51DCC8BAA3FBDEB04309F2066A2E906A9295E7709A48DF51
                                      Function 00E40BE4 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: bb0c6d2cd14f20fc6764dea5612c43e3a7c3fccda94ea8fc719b3559139b9e9a
                                      • Instruction ID: d5d271348aaa2f26472214f1b89f19e85f0a96d586ea8be7c77eced6aedc0d6a
                                      • Opcode Fuzzy Hash: bb0c6d2cd14f20fc6764dea5612c43e3a7c3fccda94ea8fc719b3559139b9e9a
                                      • Instruction Fuzzy Hash: 2C617831D0070AEFDF149FE1EC89BAEBBB4EB0430AF206535E611761A0D7756A48DB90
                                      Function 00E3639C Relevance: 1.6, APIs: 1, Instructions: 134memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000,E80C4717,?,?,00E49487), ref: 00E363C5
                                        • Part of subcall function 00E3B444: NtSetInformationThread.NTDLL(00000000,?,00000000,00000000,?,00E36541,00000000,00E5586C,00E36390,00000000,00000000,00E55858,00E36378,00000000,00000000,00E5584C), ref: 00E3B465
                                        • Part of subcall function 00E3B470: NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?,9870B143), ref: 00E3B4B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateHeapInformationMemoryProtectThreadVirtual
                                      • String ID:
                                      • API String ID: 2986011945-0
                                      • Opcode ID: 2b67d8abd4c928f46446658460f22bd7f61ecf2d326be0b54f0263011071697d
                                      • Instruction ID: 400a79dc7bce432ad4b4c315c973076004d435b0806fab1855a93e5e00be69c4
                                      • Opcode Fuzzy Hash: 2b67d8abd4c928f46446658460f22bd7f61ecf2d326be0b54f0263011071697d
                                      • Instruction Fuzzy Hash: 2F318523382FB078427132B66C2FE9F1DACCED3F66FD17955B808B529689D06404C0B9
                                      Function 00E37CA4 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000004), ref: 00E37CBF
                                        • Part of subcall function 00E36844: RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00E47764,?,00000000,00000000), ref: 00E36860
                                        • Part of subcall function 00E3DC60: NtTerminateProcess.NTDLL(00E37DB8,00000000), ref: 00E3DCC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeapManagerOpenProcessTerminate
                                      • String ID:
                                      • API String ID: 3645570960-0
                                      • Opcode ID: aa2c3a89212592908e7bc63bb13edc0055534c7eda98071c64b7cb9274038bdc
                                      • Instruction ID: 5c331da64917c0b0909c2518e8d7fbeb4f7b72c6f943415d9842e194f2cee0aa
                                      • Opcode Fuzzy Hash: aa2c3a89212592908e7bc63bb13edc0055534c7eda98071c64b7cb9274038bdc
                                      • Instruction Fuzzy Hash: CB410371940209FFEF219B91DC4ABEEBBB9AF08706F904465F601B60E0D7B15A94DB50
                                      Function 00E35DA0 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E35C24: FindFirstFileW.KERNELBASE(?,?,?,00000004,?), ref: 00E35CF7
                                        • Part of subcall function 00E35C24: FindClose.KERNELBASE(000000FF,?,00000000), ref: 00E35D1C
                                      • RtlAllocateHeap.NTDLL(?,00000000,00000010,00000000,00000000,00000000,00000000,?,?,00E36408,00E5540C,00E35EE8,00000000,00000000,7E631824), ref: 00E35DE4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$AllocateCloseFileFirstHeap
                                      • String ID:
                                      • API String ID: 1673784098-0
                                      • Opcode ID: 6aa6ab6f3a8d40e69fdb75059b62d8e3266041796467851bdc4e4ca92ca89f1e
                                      • Instruction ID: 245826c95e843f290128129b1a8a65db310398de1b2e17c533a997ea7ace3d7b
                                      • Opcode Fuzzy Hash: 6aa6ab6f3a8d40e69fdb75059b62d8e3266041796467851bdc4e4ca92ca89f1e
                                      • Instruction Fuzzy Hash: A931F6366047029ED720CF298884756FED4BF41311F18E7A9E109EF393EAB1C480CB96
                                      Function 00E390BC Relevance: 1.6, APIs: 1, Instructions: 78serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E3903C: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00E3905E
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00E391AF
                                        • Part of subcall function 00E3DC60: NtTerminateProcess.NTDLL(00E37DB8,00000000), ref: 00E3DCC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegeProcessServiceTerminate
                                      • String ID:
                                      • API String ID: 3176663195-0
                                      • Opcode ID: b39b7a0736bdff3d2cee96389ee217b5901e7bad3f63d745f01c31c1216cfdfc
                                      • Instruction ID: caa5f300a9a5d91e9fcfb5788eef69d76217c802c135392540bdd91fc2162110
                                      • Opcode Fuzzy Hash: b39b7a0736bdff3d2cee96389ee217b5901e7bad3f63d745f01c31c1216cfdfc
                                      • Instruction Fuzzy Hash: F7314571940309EFEB109FA1DC4DB9DBFB8AF0470AF4044A4E604BA1A1D7B59A98DB50
                                      Function 00E38DA8 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00E397D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,7DDDCD9C), ref: 00E38DE6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationManagerOpenQuerySystem
                                      • String ID:
                                      • API String ID: 1910025873-0
                                      • Opcode ID: 9e2374defd0aa88b738d4db5a34c5de5e61360bfa0f58da2ee1d6212109d7bfd
                                      • Instruction ID: b4ae71b399155683ea704ecae880e557994a715f0bb86f38bf3762f54bbeebad
                                      • Opcode Fuzzy Hash: 9e2374defd0aa88b738d4db5a34c5de5e61360bfa0f58da2ee1d6212109d7bfd
                                      • Instruction Fuzzy Hash: 6231F571900308EFDB148F91CE4DBADBFB4EB0470AF6484A5F502BB2A0DBB58A44CB51
                                      Function 00E36550 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 337c3b50e3b579a63cef6d5b0b8552e64c84637b1ec07d4de9d2af29ab57b297
                                      • Instruction ID: 4bbe7c1cd0879b35562ddbc6bd4bc3f0f30f6a91354fa1368c45f2860589d74c
                                      • Opcode Fuzzy Hash: 337c3b50e3b579a63cef6d5b0b8552e64c84637b1ec07d4de9d2af29ab57b297
                                      • Instruction Fuzzy Hash: 2A211531941208FFDF109FA4DC4ABA9BFB1FF15306F10A0B4E9047A2A1E7314A94EB44
                                      Function 00E3903C Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000000), ref: 00E3905E
                                        • Part of subcall function 00E397D8: NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400,00000400), ref: 00E39805
                                        • Part of subcall function 00E39880: NtClose.NTDLL(00000000), ref: 00E39971
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustCloseInformationPrivilegeQuerySystem
                                      • String ID:
                                      • API String ID: 327775174-0
                                      • Opcode ID: cbf3f3fdaece1969d5cd934f19fcbbd6fafbeda53264cf43699eef3868d79ca9
                                      • Instruction ID: 51c2341701608f7e3fb2035a74352a7871c5c015b32f89c0866301b878fe6c8a
                                      • Opcode Fuzzy Hash: cbf3f3fdaece1969d5cd934f19fcbbd6fafbeda53264cf43699eef3868d79ca9
                                      • Instruction Fuzzy Hash: A1014470900308BFEB24AFA5CC4DFDD7AB89B00716F104194B515BA1D1E7B54A84CB91
                                      Function 00E3B708 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAdjustPrivilege.NTDLL(00000000,00000001,00000000,?), ref: 00E3B727
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdjustPrivilege
                                      • String ID:
                                      • API String ID: 3260937286-0
                                      • Opcode ID: 9963cb9a014c5dd76d54c8b4a7c70c93b8f0ff9899827fbef32039e34a47c5f5
                                      • Instruction ID: 652383d3dd1a3f0e0d4110301230c84f986558c4b114aeb5af2af27f1a822332
                                      • Opcode Fuzzy Hash: 9963cb9a014c5dd76d54c8b4a7c70c93b8f0ff9899827fbef32039e34a47c5f5
                                      • Instruction Fuzzy Hash: 32D02B321042196AC73416546C0ABF2375DC780321F101313AF03FB1D0FB52594881E1
                                      Function 00E36894 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlReAllocateHeap.NTDLL(?,00000008,?,00000400,?,00E39825,?,00000400), ref: 00E368B3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: fad0468078988afb44341b9715c88310b3b89a7ec161a344869a4520f9a4877d
                                      • Instruction ID: 9867de8bb40080f827ff21d0a3641e39604304697703918d5e983ecd79d1a176
                                      • Opcode Fuzzy Hash: fad0468078988afb44341b9715c88310b3b89a7ec161a344869a4520f9a4877d
                                      • Instruction Fuzzy Hash: A8D0A731040704AFCB445F54DC09FCA3B68BB14301F40C050FA445A061C771D454DB40
                                      Function 00E3686C Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(?,00000000,00000000,?,00E477F4,00000000), ref: 00E36888
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: fc1c2c011441d23e248bf7900892e089f735e4efe2c061242302bedfed9ace9f
                                      • Instruction ID: 5aa761a5112841ab2b19307bf9bdeaca9f85e25c97f9a4056110fa3ad7599578
                                      • Opcode Fuzzy Hash: fc1c2c011441d23e248bf7900892e089f735e4efe2c061242302bedfed9ace9f
                                      • Instruction Fuzzy Hash: A8D01231140704AFC7189F68E809FEA3BA8AB18705F854455B7495B0A1C775E890DA98
                                      Function 00E36844 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(?,00000008,00000000,?,00E47764,?,00000000,00000000), ref: 00E36860
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 50b0d0f89ec6d473e32a5c1778a496ec589c1b856c26a6961649033e731a9783
                                      • Instruction ID: abac2a496c0a2af596794e7472acd10e1853dea117a646bb4e435e32681c127c
                                      • Opcode Fuzzy Hash: 50b0d0f89ec6d473e32a5c1778a496ec589c1b856c26a6961649033e731a9783
                                      • Instruction Fuzzy Hash: B1D02231040704AFC3089F69A809FD63B68AB10306F408014F3485B061CBB1D8D0DB90
                                      Function 00E3B4DC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckTokenMembership.KERNELBASE(00000000,00E3B4CC,?), ref: 00E3B4ED
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CheckMembershipToken
                                      • String ID:
                                      • API String ID: 1351025785-0
                                      • Opcode ID: c3026878815143b6147e0f4e7b80fdd6d47ceab420e241f44a6c35e5bd3c411b
                                      • Instruction ID: 7d89f94b8c50386783617041fa4474f698a62d6bd98664e5662e86df7593a2d4
                                      • Opcode Fuzzy Hash: c3026878815143b6147e0f4e7b80fdd6d47ceab420e241f44a6c35e5bd3c411b
                                      • Instruction Fuzzy Hash: F8C0123554430CABD600D694AC46A59B76C9704A21F500390AD19A22C1E7A16F1485D5
                                      Function 00E3A470 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalDriveStringsW.KERNELBASE(?,?), ref: 00E3A47B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DriveLogicalStrings
                                      • String ID:
                                      • API String ID: 2022863570-0
                                      • Opcode ID: 8e07d03fe8ab62529432f8f5f16c977d925b420bd0eab0081e2df0db02ee958b
                                      • Instruction ID: 8f654b336c2ad3abb8ba2244c3eacca734693f93e0214f40d495bb69ffef3e65
                                      • Opcode Fuzzy Hash: 8e07d03fe8ab62529432f8f5f16c977d925b420bd0eab0081e2df0db02ee958b
                                      • Instruction Fuzzy Hash: 7FC09237000308EF8B029F89ED48C85BFEAEB187017048062F6094B131DB32E824EB95
                                      Function 00E3A1B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeW.KERNELBASE(?), ref: 00E3A1B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DriveType
                                      • String ID:
                                      • API String ID: 338552980-0
                                      • Opcode ID: 31d0cb7c505ae7b74beb03d65a97dc63111aa89b69e40eb5bea7c99c38d0892f
                                      • Instruction ID: 3778614a578b7e7a8a6485849a48e86bbdf81cbf9eac98ce378cb5616099efcd
                                      • Opcode Fuzzy Hash: 31d0cb7c505ae7b74beb03d65a97dc63111aa89b69e40eb5bea7c99c38d0892f
                                      • Instruction Fuzzy Hash: 25B0123200020CAB86005B42EC048857F5DD7102627004022F5040002097325461D594
                                      Function 00E3782A Relevance: 1.4, APIs: 1, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00E37853
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Initialize
                                      • String ID:
                                      • API String ID: 2538663250-0
                                      • Opcode ID: 661c794b57eb329e049e0a68667993de8a195f598900da0b316264479f352fcb
                                      • Instruction ID: b9513dce5c3c956ec70f601ee58634a1377ea8ba1f05119f3031829b388f835f
                                      • Opcode Fuzzy Hash: 661c794b57eb329e049e0a68667993de8a195f598900da0b316264479f352fcb
                                      • Instruction Fuzzy Hash: 568104B8810306DFC720DF50D988F8ABFB8BF05354F56919895186F262C77ADA84CF66

                                      Non-executed Functions

                                      Function 00E34D08 Relevance: .3, Instructions: 328COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 373cf5fc682f1af3329a997fc657ad899e97d9a131762cdb557b5fab738bdaa9
                                      • Instruction ID: bf445ca0784acf03c24f87a069e7812180a25b55b5734b749e44200ffbbe5d3a
                                      • Opcode Fuzzy Hash: 373cf5fc682f1af3329a997fc657ad899e97d9a131762cdb557b5fab738bdaa9
                                      • Instruction Fuzzy Hash: 6EE136BAA20D478FD728CF2AD8C4B25B7A2FB89340F098539C71597B55C339F560CA80
                                      Function 00E320AC Relevance: .3, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ae1b344ce7eabeca7d5a0e2004a9b7e15b356c338447e056007cc76e97bc746
                                      • Instruction ID: a9f0286203ba857bf3f6e23da89b0d4c286a2d113b457eb308a195c2af139705
                                      • Opcode Fuzzy Hash: 5ae1b344ce7eabeca7d5a0e2004a9b7e15b356c338447e056007cc76e97bc746
                                      • Instruction Fuzzy Hash: 6ED1E6719083818FC790CF29C58465AF7E0FFD8348F149A1EE9D9E3211E770EA998B42
                                      Function 00E35218 Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c2c52cca0ee1dcf4fdf67905e25f081ae204e6983876f15c3f97cabc984bcb3
                                      • Instruction ID: 8b82e6fbc0da821f997e7d10d575c44ec2a03f30005bb7c72a2af9018bea5848
                                      • Opcode Fuzzy Hash: 5c2c52cca0ee1dcf4fdf67905e25f081ae204e6983876f15c3f97cabc984bcb3
                                      • Instruction Fuzzy Hash: 4BD1427AE2094A8FDB18CF59ECD4B7AB772FB88341F058538C751A7755C638AA10CB50
                                      Function 00E380B8 Relevance: .1, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e756ee8bfadc44d8fa9e14a06ec9f7a691cf0a5cbff9ed5ad91ce358df42ba1f
                                      • Instruction ID: 8393fbb502c2216287c6617452bdf43c7c6c7a5d6dab4fa9d9146e12a71d43be
                                      • Opcode Fuzzy Hash: e756ee8bfadc44d8fa9e14a06ec9f7a691cf0a5cbff9ed5ad91ce358df42ba1f
                                      • Instruction Fuzzy Hash: 31310522BCBB064AFF75E050874D7F7AF14A7107A8EED3593F98A336524C180D82D652
                                      Function 00E34D03 Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5631c0da3d1717d07369aaf81b74cce0d52677dc9a32ce67ac724a7c4435f7c
                                      • Instruction ID: eb43e5503ccf2e25d00ed601ac89b7a63e44fc06d720feb71226c1372b48901b
                                      • Opcode Fuzzy Hash: e5631c0da3d1717d07369aaf81b74cce0d52677dc9a32ce67ac724a7c4435f7c
                                      • Instruction Fuzzy Hash: 80313EB6A11A069FC328CF1AD888915FBB1FF9D310B55CA29C96987B91C734F950CA80
                                      Function 00E310BC Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2155551918.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                                      • Associated: 00000000.00000002.2155529017.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155575161.0000000000E4A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155596558.0000000000E4B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155620915.0000000000E54000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155642267.0000000000E56000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2155660997.0000000000E57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e30000_71p2xmx6rP.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                      • Instruction ID: b79d87fbe9425dcf1e98ba8d6860e4a7552037da356f4f35a0f6748f762cd399
                                      • Opcode Fuzzy Hash: 6e9e9d037a559c25274071be2e09c2d3cf2f15b9f66fb5d997d9d64617e40bf4
                                      • Instruction Fuzzy Hash: C5E04FBB20D3425FF92C951174533A78787C780679E2584DEE446DF1C0EF1BE8A56445

                                      Execution Graph

                                      Execution Coverage:32.4%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:1.3%
                                      Total number of Nodes:160
                                      Total number of Limit Nodes:1
                                      execution_graph 890 403983 893 40389c 890->893 902 402a78 893->902 897 403903 932 4022dc 897->932 938 4028ba 902->938 904 402a9e 904->897 907 4026c0 904->907 905 402af0 CreateMutexW 905->904 952 4024f8 907->952 909 402729 909->897 913 402f18 909->913 910 4026e7 CreateFileW 910->909 911 40270b ReadFile 910->911 911->909 914 402f2e 913->914 914->914 956 40227c FindFirstFileExW 914->956 915 402f67 CreateFileW 917 402f57 915->917 920 402faf 915->920 916 402faa 919 4030c5 NtFreeVirtualMemory 916->919 921 4030ed 916->921 917->915 917->916 918 402fb4 NtAllocateVirtualMemory 918->920 927 402fe8 918->927 919->916 920->918 920->927 922 4030f3 NtClose 921->922 923 4030ff 921->923 922->923 958 402e10 923->958 925 40311f 925->897 926 40304b WriteFile 926->927 928 403068 SetFilePointerEx 926->928 927->916 927->926 929 403095 SetFilePointerEx 927->929 928->926 928->927 929->927 933 402303 932->933 934 402335 GetShortPathNameW 933->934 935 402330 27 API calls 933->935 934->935 936 40235e 934->936 936->935 937 40246d ShellExecuteW 936->937 937->935 939 4028dd 938->939 942 402760 CreateFileW 939->942 943 4027da 942->943 944 402797 942->944 945 402802 943->945 946 4027f6 NtClose 943->946 944->943 950 4020bc 944->950 945->904 945->905 946->945 947 4027b7 947->943 948 4027c0 ReadFile 947->948 948->943 951 4020c8 RtlAllocateHeap 950->951 951->947 953 402512 952->953 955 402760 4 API calls 953->955 954 402522 954->909 954->910 955->954 957 4022af 956->957 957->917 960 402e2e 958->960 959 402e37 DeleteFileW 959->925 960->959 960->960 961 402e7c MoveFileExW 960->961 961->959 961->960 962 403956 963 403963 962->963 964 403976 962->964 971 4019d4 963->971 1009 4016b4 971->1009 974 4016b4 9 API calls 975 4019f4 974->975 976 4016b4 9 API calls 975->976 977 401a05 976->977 978 4016b4 9 API calls 977->978 979 401a16 978->979 980 4016b4 9 API calls 979->980 981 401a27 980->981 982 4016b4 9 API calls 981->982 983 401a38 982->983 984 401b70 RtlCreateHeap 983->984 985 401ba6 RtlCreateHeap 984->985 995 401ba1 984->995 986 401bcb 985->986 985->995 986->995 1057 401a40 986->1057 988 401c03 989 401a40 RtlAllocateHeap 988->989 988->995 990 401c59 989->990 991 401a40 RtlAllocateHeap 990->991 990->995 992 401caf 991->992 993 401a40 RtlAllocateHeap 992->993 992->995 994 401d05 993->994 994->995 996 401a40 RtlAllocateHeap 994->996 1001 402812 995->1001 1005 402836 995->1005 997 401d55 996->997 997->995 1062 401d94 997->1062 998 401d7a 1065 401dc2 998->1065 1002 402836 1001->1002 1003 402850 RtlAdjustPrivilege 1002->1003 1004 40284e 1002->1004 1003->1002 1003->1004 1004->964 1006 402849 1005->1006 1007 402850 RtlAdjustPrivilege 1006->1007 1008 40284e 1006->1008 1007->1006 1007->1008 1008->964 1010 40176f 1009->1010 1011 4016cf 1009->1011 1010->974 1012 4016f5 NtAllocateVirtualMemory 1011->1012 1035 401000 1011->1035 1012->1010 1014 40172f NtAllocateVirtualMemory 1012->1014 1014->1010 1016 401752 1014->1016 1020 40152c 1016->1020 1018 40175f 1018->1010 1019 401000 3 API calls 1018->1019 1019->1018 1021 401540 1020->1021 1022 401558 1020->1022 1023 401000 3 API calls 1021->1023 1024 401000 3 API calls 1022->1024 1025 40157e 1022->1025 1023->1022 1024->1025 1026 401000 3 API calls 1025->1026 1029 4015a4 1025->1029 1026->1029 1027 4015ed FindFirstFileExW 1027->1029 1028 40166c 1028->1018 1029->1027 1029->1028 1030 401649 FindNextFileW 1029->1030 1031 40162a FindClose 1029->1031 1030->1029 1033 40165d FindClose 1030->1033 1043 401474 1031->1043 1033->1029 1034 401641 1034->1018 1036 401012 1035->1036 1037 40102a 1035->1037 1038 401000 3 API calls 1036->1038 1039 401000 3 API calls 1037->1039 1040 401050 1037->1040 1038->1037 1039->1040 1041 4010fb 1040->1041 1046 401394 1040->1046 1041->1012 1044 40148a 1043->1044 1045 4014b8 LdrLoadDll 1044->1045 1045->1034 1047 4013ee 1046->1047 1048 4013be 1046->1048 1047->1041 1048->1047 1049 401474 LdrLoadDll 1048->1049 1050 4013d2 1049->1050 1050->1047 1050->1050 1052 4014d8 1050->1052 1053 4014ee 1052->1053 1054 40150f LdrGetProcedureAddress 1052->1054 1056 4014fa LdrGetProcedureAddress 1053->1056 1055 401521 1054->1055 1055->1047 1056->1055 1058 401a5d RtlAllocateHeap 1057->1058 1059 401a79 1058->1059 1060 401a85 1058->1060 1059->988 1060->1058 1061 401b5b 1060->1061 1061->988 1063 401da8 NtSetInformationThread 1062->1063 1063->998 1066 401de9 1065->1066 1067 401e12 1066->1067 1068 401df2 NtProtectVirtualMemory 1066->1068 1067->995 1068->1067 1083 402126 1084 402141 1083->1084 1085 4020bc RtlAllocateHeap 1084->1085 1086 402158 1084->1086 1085->1086 1069 4019b7 1070 4019e0 1069->1070 1071 4016b4 9 API calls 1069->1071 1072 4016b4 9 API calls 1070->1072 1071->1070 1073 4019f4 1072->1073 1074 4016b4 9 API calls 1073->1074 1075 401a05 1074->1075 1076 4016b4 9 API calls 1075->1076 1077 401a16 1076->1077 1078 4016b4 9 API calls 1077->1078 1079 401a27 1078->1079 1080 4016b4 9 API calls 1079->1080 1081 401a38 1080->1081 1082 40286c NtSetInformationProcess NtSetInformationProcess NtSetInformationProcess

                                      Callgraph

                                      • Executed
                                      • Not Executed
                                      • Opacity -> Relevance
                                      • Disassembly available
                                      callgraph 0 Function_004026C0 38 Function_004024F8 0->38 1 Function_00401A40 39 Function_00401E78 1->39 2 Function_00401DC2 3 Function_004024C2 4 Function_00402B44 5 Function_00403144 6 Function_00401FC8 7 Function_00401F4C 8 Function_0040204C 9 Function_00402B50 10 Function_00401350 71 Function_00401130 10->71 11 Function_00402ED0 12 Function_004024D4 13 Function_004019D4 76 Function_004016B4 13->76 14 Function_00403956 14->13 33 Function_00401B70 14->33 54 Function_00402812 14->54 78 Function_00402836 14->78 15 Function_00403258 16 Function_004014D8 81 Function_00401438 16->81 17 Function_00401FDB 18 Function_004022DC 19 Function_0040205C 20 Function_00401F5C 21 Function_004020DE 22 Function_00402760 83 Function_004020BC 22->83 23 Function_004031E0 24 Function_00402264 25 Function_00401EE4 26 Function_004032E4 27 Function_004032E8 28 Function_00401868 29 Function_0040286C 30 Function_00401F6C 31 Function_00401B6E 32 Function_00401FEF 33->1 33->2 55 Function_00401D94 33->55 34 Function_00401472 35 Function_00401474 41 Function_004013F8 35->41 36 Function_004013F6 37 Function_00402A78 82 Function_004028BA 37->82 38->22 62 Function_00401E28 39->62 40 Function_00403478 42 Function_0040227C 43 Function_0040217C 44 Function_00402BFC 45 Function_00401000 45->7 45->10 45->25 45->45 56 Function_00401394 45->56 73 Function_00401EB0 45->73 46 Function_00402D80 47 Function_00403983 60 Function_0040389C 47->60 48 Function_00402003 49 Function_00402104 50 Function_00402C88 51 Function_00402E10 52 Function_00401190 52->71 53 Function_00401911 56->16 56->35 57 Function_00402017 58 Function_00402F18 58->42 58->51 59 Function_00401F9A 60->0 60->18 60->37 60->58 61 Function_00402126 61->83 63 Function_00402DA8 64 Function_0040152A 65 Function_0040202A 66 Function_0040152C 66->19 66->25 66->35 66->45 67 Function_00401F2C 66->67 68 Function_004018AD 69 Function_0040362E 70 Function_00401EAE 72 Function_00403230 74 Function_00401FB1 75 Function_004016B2 76->39 76->45 76->66 77 Function_00402234 79 Function_00401436 80 Function_004019B7 80->76 82->22 84 Function_00401A3E

                                      Executed Functions

                                      Function 00403983 Relevance: 40.5, APIs: 27, Instructions: 32windowlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: Text$Color$CreateWindow$Proc$CommandFontFreeHandleLibraryLineLoadMenuModule$AddressBitmapCharsetErrorExitInfoLastLocaleObjectProcessSelect
                                      • String ID:
                                      • API String ID: 3548022523-0
                                      • Opcode ID: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                      • Instruction ID: 44f13d8dc4ada08d969f55db554330e9d88bd117b0c18836a0928b418f5903af
                                      • Opcode Fuzzy Hash: 75a7f395dfd15dd6a7f12e7587c497a330da91454d241e242464d6c2316bf13f
                                      • Instruction Fuzzy Hash: 89F0B724B651416AC500BFFB9947A0D6E2C6E8472BB50657EB0C1344E74D3C87009EAF
                                      Function 00402F18 Relevance: 12.2, APIs: 8, Instructions: 184filenativememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3 402f18-402f2b 4 402f2e-402f33 3->4 4->4 5 402f35-402f5b call 40227c 4->5 7 402f67-402f8c CreateFileW 5->7 8 402f5d-402f61 5->8 9 402f8e-402f96 7->9 10 402faf-402fb1 7->10 8->7 11 4030bb-4030bd 8->11 12 402f98-402fa6 9->12 13 402faa 9->13 14 402fb4-402fe0 NtAllocateVirtualMemory 10->14 15 4030c0-4030c3 11->15 12->13 27 402fa8 12->27 13->11 16 402fe2-402fed 14->16 17 402fe8 14->17 18 4030c5-4030e4 NtFreeVirtualMemory 15->18 19 4030e7-4030eb 15->19 28 403000-403003 16->28 29 402fef-402ffe 16->29 22 40301b-403020 17->22 18->19 19->15 23 4030ed-4030f1 19->23 26 403023-40302e 22->26 24 4030f3-4030fc NtClose 23->24 25 4030ff-40311d call 402e10 DeleteFileW 23->25 24->25 36 403126-40312a 25->36 37 40311f 25->37 30 403030-40303a 26->30 31 40303c 26->31 27->7 32 403015-403019 28->32 33 403005-403010 28->33 29->32 35 403041-403048 30->35 31->35 32->14 32->22 33->32 38 40304b-403064 WriteFile 35->38 39 403138-403141 36->39 40 40312c-403132 36->40 37->36 41 403066 38->41 42 403068-403088 SetFilePointerEx 38->42 40->39 43 40308a-403091 41->43 42->38 42->43 44 403093 43->44 45 403095-4030b6 SetFilePointerEx 43->45 44->11 45->26
                                      APIs
                                      • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,80000000,00000000), ref: 00402F82
                                      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00010000,00001000,00000004), ref: 00402FDB
                                      • WriteFile.KERNELBASE(000000FF,00000000,00010000,00010000,00000000), ref: 0040305F
                                      • SetFilePointerEx.KERNELBASE(000000FF,00010000,?,00000000,00000001), ref: 0040307E
                                      • SetFilePointerEx.KERNELBASE(000000FF,00010000,00000000,00000000,00000000,?,00000000,00000001), ref: 004030B3
                                      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000,?,00000000,00000001), ref: 004030E4
                                      • NtClose.NTDLL(000000FF,?,00000000,00000001), ref: 004030FC
                                      • DeleteFileW.KERNELBASE(?,?,00000000,00000001), ref: 00403118
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: File$MemoryPointerVirtual$AllocateCloseCreateDeleteFreeWrite
                                      • String ID:
                                      • API String ID: 590822095-0
                                      • Opcode ID: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                      • Instruction ID: 1b8bdb635f3090c090aca30f1047892238d11e79f8ef36d2dcee79009cce4089
                                      • Opcode Fuzzy Hash: 52122dafd602033dbf0aaa267e6343e8fb4df09450a7f36494692c9b8865e816
                                      • Instruction Fuzzy Hash: ED714871901209AFDB11CF90DD48BEEBB79FB08311F204266E511B62D4D3759E85CF99
                                      Function 0040152C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • FindFirstFileExW.KERNELBASE(C:\Windows\System32\*.dll,00000000,?,00000000,00000000,00000000), ref: 00401601
                                      • FindClose.KERNELBASE(000000FF,?,00000000), ref: 0040162D
                                      • FindNextFileW.KERNELBASE(000000FF,?,?,00000000), ref: 00401653
                                      • FindClose.KERNEL32(000000FF), ref: 00401660
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: C:\Windows\System32\*.dll
                                      • API String ID: 1164774033-1305136377
                                      • Opcode ID: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                      • Instruction ID: b8f602421e8d3e3309feb9384621a56ef9d54da146c7d7394d3b11ea37959a12
                                      • Opcode Fuzzy Hash: bdb8730289e2ca857be386bc3c3ab385330ed8d95a663a52d2d02b9110bb0279
                                      • Instruction Fuzzy Hash: 30418C71900608EFDB20AFA4DD48BAA77B4FB44325F608276E521BE1F0D7794A85DF48
                                      Function 00402760 Relevance: 4.6, APIs: 3, Instructions: 62filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 82 402760-402795 CreateFileW 83 4027f0-4027f4 82->83 84 402797-4027a9 82->84 85 402802-40280b 83->85 86 4027f6-4027ff NtClose 83->86 84->83 88 4027ab-4027be call 4020bc 84->88 86->85 88->83 90 4027c0-4027d8 ReadFile 88->90 91 4027e4-4027ea 90->91 92 4027da-4027e2 90->92 91->83 92->83
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040278B
                                      • ReadFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 004027D3
                                      • NtClose.NTDLL(000000FF), ref: 004027FF
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateRead
                                      • String ID:
                                      • API String ID: 1419693385-0
                                      • Opcode ID: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                      • Instruction ID: da411bd40fb0d6d878d2d447c4e829303a7e8bd202b0d35ae7576ead56d2946b
                                      • Opcode Fuzzy Hash: da89fd3cbdd23a7ddbe5d8b9f381f279ea58f3e72d3b71a90626c9ff8252170d
                                      • Instruction Fuzzy Hash: CA211A35601209EBDB10CF94DD89B9EBB75FF08310F2082A5A510AB2E1D7719E51DF94
                                      Function 0040286C Relevance: 4.5, APIs: 3, Instructions: 28nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 94 40286c-4028b9 NtSetInformationProcess * 3
                                      APIs
                                      • NtSetInformationProcess.NTDLL(000000FF,00000021,?,00000004), ref: 00402888
                                      • NtSetInformationProcess.NTDLL(000000FF,00000012,00000000,00000002,?,00000004), ref: 0040289D
                                      • NtSetInformationProcess.NTDLL(000000FF,0000000C,00000000,00000004,?,00000004), ref: 004028B5
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: InformationProcess
                                      • String ID:
                                      • API String ID: 1801817001-0
                                      • Opcode ID: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                      • Instruction ID: 48adbd17ca007e7691ff2066b81a5959555298f4bd9a539b6f325b5cfe831ef7
                                      • Opcode Fuzzy Hash: b71ac733508e6e437ba76d930e61bde730921b23b00966883a2217b3d9eaec84
                                      • Instruction Fuzzy Hash: 2BF0F871141610EBEB15DB84DDC9F9637A8FB09720F2403A1F2319E1E6D3B0A484CF96
                                      Function 00401DC2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 95 401dc2-401df0 97 401e21-401e27 95->97 98 401df2-401e10 NtProtectVirtualMemory 95->98 98->97 99 401e12-401e1f 98->99 99->97
                                      APIs
                                      • NtProtectVirtualMemory.NTDLL(000000FF,00000000,00000020,00000040,?), ref: 00401E0B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: MemoryProtectVirtual
                                      • String ID:
                                      • API String ID: 2706961497-3916222277
                                      • Opcode ID: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                      • Instruction ID: 836d3446d31acb3b31e0b6cd8f4ee088cd02c28435d2c0c4ff934eaabbb3754d
                                      • Opcode Fuzzy Hash: 743ccc95185ac25335bad8a24ea2ffb6d91b2a6f6c30658889cc31c7cdbad58c
                                      • Instruction Fuzzy Hash: 72F03176500109ABDB00CF95D988BDFB7BCEB44324F2042A9EA14A72D1D7355E458B94
                                      Function 004016B4 Relevance: 3.1, APIs: 2, Instructions: 130memorynativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 180 4016b4-4016c9 181 401859-401862 180->181 182 4016cf-4016d6 180->182 183 4016f5-401729 NtAllocateVirtualMemory 182->183 184 4016d8-4016f0 call 401000 182->184 183->181 186 40172f-40174c NtAllocateVirtualMemory 183->186 184->183 186->181 188 401752-40175a call 40152c 186->188 190 40175f-401761 188->190 190->181 191 401767-40176d 190->191 192 401774-401781 call 401000 191->192 193 40176f 191->193 196 401851-401854 192->196 197 401787-401798 call 401e78 192->197 193->181 196->191 200 4017c9-4017cc 197->200 201 40179a-4017c4 call 401e78 197->201 203 4017fa-4017fd 200->203 204 4017ce-4017f8 call 401e78 200->204 201->196 205 401815-401818 203->205 206 4017ff-401813 203->206 204->196 210 401830-401833 205->210 211 40181a-40182e 205->211 206->196 210->196 212 401835-40184b 210->212 211->196 212->196
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00103000,00000040), ref: 0040171F
                                      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00103000,00000004), ref: 00401742
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                      • Instruction ID: ad4b5e7ce53ce887a57ee0cc443bca07838dd3003dcb7b2c4dfa2ad75add82e8
                                      • Opcode Fuzzy Hash: 4a0fb159cb167e270aa132b3f88ebad20637f68d71e3a3db65f788631af4fc76
                                      • Instruction Fuzzy Hash: E3416031904204DADF10EF58C884B9AB7A4FF05314F14C1BAE919EF2E6D7788A41CB6A
                                      Function 0040227C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 288 40227c-4022ad FindFirstFileExW 289 4022d2-4022d8 288->289 290 4022af-4022cf 288->290 290->289
                                      APIs
                                      • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 004022A4
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                      • Instruction ID: 55f0629c3eadcc188d8749e42e063c0b49bca1bc4f8f265f590f61ae6da82bee
                                      • Opcode Fuzzy Hash: cdec62c82a5867c9461e13d27f073131a42764883e1863d73d8ab6d37f0e38bf
                                      • Instruction Fuzzy Hash: BBF0C974902608EFDB10DF94CD49B9DFBB4EB48310F2082A5A918AB2A0D7715E91CF84
                                      Function 00401D94 Relevance: 1.5, APIs: 1, Instructions: 19nativethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00401DBB
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: InformationThread
                                      • String ID:
                                      • API String ID: 4046476035-0
                                      • Opcode ID: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                      • Instruction ID: 482b214da63c1bafeb7c1bb62a0bbbc62c262419b9af6fea3894fce228737229
                                      • Opcode Fuzzy Hash: 2ec57d8305034ae4dcd04f6f280aec29aa5e37325b0f502564d07dd60a6e8475
                                      • Instruction Fuzzy Hash: FEE05E329A020DAFD710DB50DC45FBB376DEB55311F508236B5029A1E0D6B8F891DA98
                                      Function 00401B70 Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 100 401b70-401b9f RtlCreateHeap 101 401ba1 100->101 102 401ba6-401bc4 RtlCreateHeap 100->102 103 401d8a-401d90 101->103 104 401bc6 102->104 105 401bcb-401be7 102->105 104->103 107 401be9 105->107 108 401bee-401c05 call 401a40 105->108 107->103 111 401c07 108->111 112 401c0c-401c3d 108->112 111->103 115 401c44-401c5b call 401a40 112->115 116 401c3f 112->116 119 401c62-401c93 115->119 120 401c5d 115->120 116->103 123 401c95 119->123 124 401c9a-401cb1 call 401a40 119->124 120->103 123->103 127 401cb3 124->127 128 401cb8-401ce9 124->128 127->103 131 401cf0-401d07 call 401a40 128->131 132 401ceb 128->132 135 401d09 131->135 136 401d0b-401d3c 131->136 132->103 135->103 139 401d40-401d57 call 401a40 136->139 140 401d3e 136->140 143 401d59 139->143 144 401d5b-401d80 call 401d94 call 401dc2 139->144 140->103 143->103 147 401d83 144->147 147->103
                                      APIs
                                      • RtlCreateHeap.NTDLL(00001002,00000000,00000000,00000000,00000000,00000000), ref: 00401B96
                                      • RtlCreateHeap.NTDLL(00041002,00000000,00000000,00000000,00000000,00000000), ref: 00401BBB
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: CreateHeap
                                      • String ID:
                                      • API String ID: 10892065-0
                                      • Opcode ID: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                      • Instruction ID: eac1ce902914894448f3c06d12ced00cbe17960004271ddceb971b2a38276b5e
                                      • Opcode Fuzzy Hash: 453bda9d08a0096fe53e6a5bcc4a475ef93f8d776735eeddf63228c397926240
                                      • Instruction Fuzzy Hash: 34513034A80A04FBD7109B60ED09B5B7770FF18701F2086BAE6117A2F1D775A5859F8D
                                      Function 004022DC Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 150 4022dc-40232e 154 402330 150->154 155 402335-402347 GetShortPathNameW 150->155 156 402483-402487 154->156 157 402349-402359 155->157 158 40235e-402380 155->158 159 402495-402499 156->159 160 402489-40248f 156->160 157->156 168 402382 158->168 169 402387-402425 158->169 163 4024a7-4024ab 159->163 164 40249b-4024a1 159->164 160->159 165 4024b9-4024bf 163->165 166 4024ad-4024b3 163->166 164->163 166->165 168->156 175 402427 169->175 176 402429-402481 ShellExecuteW 169->176 175->156 176->156
                                      APIs
                                      • GetShortPathNameW.KERNELBASE(00000000,00000000,?), ref: 00402340
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: NamePathShort
                                      • String ID:
                                      • API String ID: 1295925010-0
                                      • Opcode ID: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                      • Instruction ID: 5bcac900e59d09c9622bdf940851d370624af246baed8abb1bc217228d1f7e1b
                                      • Opcode Fuzzy Hash: a0a4f684a9d9108a63d91a30c19249ae39ae68594d14297edb71c581cb82e24b
                                      • Instruction Fuzzy Hash: B6514E75900606EFDB00DF90E948B9EFB71FF48301F2082A9E6156B2A1C375AA91DFC5
                                      Function 004026C0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 213 4026c0-4026e5 call 4024f8 215 402730-402734 213->215 216 4026e7-402709 CreateFileW 213->216 218 402742-402746 215->218 219 402736-40273c 215->219 216->215 217 40270b-402727 ReadFile 216->217 217->215 220 402729 217->220 221 402754-40275a 218->221 222 402748-40274e 218->222 219->218 220->215 222->221
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004026FF
                                      • ReadFile.KERNELBASE(000000FF,000000FF,0000021C,?,00000000), ref: 00402722
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: File$CreateRead
                                      • String ID:
                                      • API String ID: 3388366904-0
                                      • Opcode ID: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                      • Instruction ID: dec784d2d3492f4c007a4c80bb83cd8b4abde05e7af7cfb80cb91198c32a9eba
                                      • Opcode Fuzzy Hash: 64d441af2ae5f8cd80c02da2bb5cacaba4a8c0a7bb8fd120945ed4e9a720f5dc
                                      • Instruction Fuzzy Hash: 7511D774910209EFDB10DF94DD48B9FBBB5FB08311F2046A9A524B62E1D7B15A91CF84
                                      Function 00401A40 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 224 401a40-401a5a 225 401a5d-401a77 RtlAllocateHeap 224->225 226 401a85-401a94 call 401e78 225->226 227 401a79-401a82 225->227 230 401ac5-401ac8 226->230 231 401a96-401ac0 call 401e78 226->231 233 401af6-401af9 230->233 234 401aca-401af4 call 401e78 230->234 239 401b4d-401b55 231->239 237 401b11-401b14 233->237 238 401afb-401b0f 233->238 234->239 241 401b16-401b2a 237->241 242 401b2c-401b2f 237->242 238->239 239->225 243 401b5b-401b6b 239->243 241->239 242->239 244 401b31-401b47 242->244 244->239
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00000008,00000010), ref: 00401A6D
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                      • Instruction ID: 68c0462a3af62cc3e50a8e225ecc1fff045641083c52707b2e4de1a33f1d8fac
                                      • Opcode Fuzzy Hash: 3090814481001f51fad53404be7bb9f089635e5ecf5702693e45b6397da5dce2
                                      • Instruction Fuzzy Hash: 9F316935A14308DFDB10CF99C488E99F7F1BF24320F15D0AAD508AB2B2D7B59950DB4A
                                      Function 00402E10 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 245 402e10-402e35 247 402e37 245->247 248 402e39-402e4e 245->248 249 402eab-402eb7 247->249 253 402e50 248->253 254 402e52-402e57 248->254 250 402ec5-402eca 249->250 251 402eb9-402ebf 249->251 251->250 253->249 255 402e5c-402e6d 254->255 257 402e70-402e7a 255->257 257->257 258 402e7c-402e8f MoveFileExW 257->258 259 402e91 258->259 260 402e93-402ea9 258->260 259->249 260->249 260->255
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                      • Instruction ID: 64be472d3da9365df722bb42b6a14b0a0006b9682bbf08d732ce7ada7e71b141
                                      • Opcode Fuzzy Hash: 2ec2b1c2d5d64686e5e6a52de2e159d7ebe58570cf782c44f0051c3652f2bf9a
                                      • Instruction Fuzzy Hash: 8A214C71940208EFDB109F90DE49B9ABB71FF18301F2081BAE505AA2E1D3759E91DF89
                                      Function 00402A78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 262 402a78-402a9c call 4028ba 264 402aa3-402ac2 262->264 265 402a9e 262->265 270 402ac4-402ad3 264->270 271 402ad5-402ae0 264->271 266 402b28-402b2c 265->266 267 402b3a-402b40 266->267 268 402b2e-402b34 266->268 268->267 270->266 274 402ae2-402ae8 271->274 275 402aea 271->275 276 402af0-402b1f CreateMutexW 274->276 275->276 276->266 277 402b21 276->277 277->266
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                      • Instruction ID: 5f31ce468cef0475a522e9655e813cee8f96e501922e94d34a843d9ecc1c4f5f
                                      • Opcode Fuzzy Hash: 76ac4189c2e983f292498be2e35779ead737e5081f8c929ef40d6d428a78efce
                                      • Instruction Fuzzy Hash: A921F974901608EFDB00CF90EA8C79EBB71FF08301F6045A9E5017A2A0D7B95A85DF89
                                      Function 00401474 Relevance: 1.5, APIs: 1, Instructions: 38libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 279 401474-401488 280 40148a-40148d 279->280 281 4014ac-4014b3 call 4013f8 279->281 282 401493-401498 280->282 285 4014b8-4014d2 LdrLoadDll 281->285 282->282 284 40149a-4014aa call 4013f8 282->284 284->285
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000000,?), ref: 004014C4
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                      • Instruction ID: 140de97a3c31e0856ca0b204e221eb1e366fb0b1d4fd9a07ba92ba20ce5f8dd4
                                      • Opcode Fuzzy Hash: cc821bb6490c49b643c0aee4c8a66cc2fb92e167f5171f05bab2522af16bb81c
                                      • Instruction Fuzzy Hash: F7F03C3690020DFADF10EAA4D848FDE77BCEB14314F0041A6E904B7190D238AA099BA5
                                      Function 00402836 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAdjustPrivilege.NTDLL(?,00000001,00000000,00000000), ref: 00402861
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: AdjustPrivilege
                                      • String ID:
                                      • API String ID: 3260937286-0
                                      • Opcode ID: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                      • Instruction ID: 70193a9dbc7aa9cd3770003b3bb97339f6e2972f30e24310785a39762e1cef45
                                      • Opcode Fuzzy Hash: b838e4be5c385c0dc624d50355c604d381d153ee0a89857c9e86ae645bc67477
                                      • Instruction Fuzzy Hash: B9E0263251821AABCB20A2189E0CBA7739DD744314F1043B6A805F71D1EAF69A0A87DA
                                      Function 004020BC Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 004020D7
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2158562157.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000002.00000002.2158540551.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158593069.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158615204.0000000000405000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000002.00000002.2158634643.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_400000_4BD.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                      • Instruction ID: 701e22a529f931561d5ec47da2ef603e250127bb9ab3ab4db12cbc5835053477
                                      • Opcode Fuzzy Hash: 37c2d1e8b064bb17fe79b9677c4ca25dfdae977e826a45f6764b5f2e7935cd48
                                      • Instruction Fuzzy Hash: 05D0C97A140609ABC6009F94E949D87F769FF58711B00C6A1BA045B222C630E890CFD4